Blog by Divebell

Hand about to push big red button

Delete It!

Apr 3, 2023
Vikram Shrowty

In an age of incredibly cheap storage, there is little incentive for an individual to delete anything. “Just in case I need it....” drives away any thought of pushing that delete button.

Net result: Most organizations are now sitting on a massive pile of data and documents.

But data privacy regulations are changing this. Most privacy regulations require you to have a legitimate and declared business purpose for holding customer data. This means that if you have customer (or employee!) data lying around without a justifiable reason, you need to get rid of it to comply with privacy laws. 

Some companies attempt to solve this problem by emailing their employees periodically and asking them to remove old documents/data. As with several issues in the data privacy domain, automation is the key to solving this. Let us take a look at what this automation looks like. 

The Age of a Document Is Not a Reliable Guide  

At first glance, it might appear that all you need is a tool that finds old, untouched files for you. Many products, therefore, just use the document's age to solve the issue of what to delete and retain. However, as the examples below illustrate, this approach can ultimately backfire. 

Scenario 1: Current vs. ex-customer
Consider two customer contract documents from ten years ago. One is no longer your customer, and the other is a customer. You have a lawful basis for retaining the latter. A tool that looks at the file's age may delete both. Wrong move!
Scenario 2: The business purpose criteria
Some customer contracts are involved in litigation. These can’t be touched, regardless of the file’s age or when the customer stopped being one. A tool that doesn’t track a document’s business purpose and takes it into account while automating retention can do more harm than good.
Scenario 3: No file age exists
Let’s look at the customer data in your databases, warehouses, and data lakes. This data is not just customer contracts or documents but other data such as records of transactions. Within the tens of thousands of tables that hold this data are records belonging to customers who ceased to be your customers a while back. Their data ought to be eliminated if you are to be compliant. But with this kind of customer data, there is no ‘file age’ at all. The table’s age is useless: the table contains customers who signed up yesterday and those who were your customers a while back. Your retention tool needs to understand record age, i.e., exactly which records rows in which table need to be deleted.

The Necessity of a Workflow

Somehow, you figured out all this and now have a clear list of files/records that are candidates for deletion. Hit the delete button? Not so fast. Deleting data in such a top-down way is a bad idea. Instead, your tool needs a workflow for this. You need to ensure that: 

  • Each data owner reviews the deletion list.
  • Capture their ‘OK’ on the proposed action on the data. If a data owner makes a case for retaining the files instead of deleting them, the justification for that decision must be captured.

Remember to Quarantine the Data

Now, you are finally ready to get rid of this old data. Well, almost. It is a best practice to move the files to a special quarantine holding area for a safety period. This way, you can ‘undo’ things. 

As the examples in this blog show, retaining and deleting customer data in an automated and compliant manner must be done using the right solution and a thoughtful approach. The product or solution you choose can make the difference between whether you are on the right side of the law or the radar of the privacy regulation authorities.

Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.

Contact Us