Part two – Erasing your data9th January 2018
Welcome back, we hope you had a lovely Christmas break and are back, refreshed and ready to tackle preparations for the General Data Protection Regulation (not long now… don’t forget… 25th of May!)
In part one of this two-part series, we looked at data mapping and the benefits of overhauling your data right now to ensure you are prepared and ready for the GDPR… read more here.
In this second part, we are going to have a look at how the guidelines to deleting data are changing, and the best practices for deleting data post GDPR.
The main purpose of the GDPR is to bring data protection up to date and in line with 21st century communication technology. Nowhere is this highlighted more succinctly than in data deletion. When the Data Protection Act was written in 1998, ‘deleting’ data would have been a simple act of shredding your paperwork.
The fifth data protection principle states that ‘personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’ … in other words if it’s no longer useful, needed and processed – delete it.
However, in our digital world, deleting data is no longer quite that simple. Information held digitally can still exist when deleted, in one form or another, within the organisation’s systems, backup files, recycling bin or the cloud storage to name but a few.
According to the ICO, following the GDPR there are 3 ways to ‘delete’ data and each has its own guideline for compliance.
To delete data you can:
- Deactivate it
- Archive it
- Delete it irretrievably
Deleting and archiving data
‘Live’ data is data that is actively in use, for example it exists on a program you run regularly to process data, such as your CRM system or Mailchimp. You are responsible for ensuring that any live data is fully complaint with the data protection laws. This includes the fifth data protection principle, which stipulates that you must delete any data that it is not in active use.
To delete data irretrievably you must delete it from all possible sources i.e. from any cloud storage, backup systems, shred any hard paper copies etc. to ensure that no traces of the data exists in any form.
Archived data is data that has been intentionally deleted and is no longer ‘live’, but still exists in the ‘electronic ether’. For example, it could be waiting to be overwritten with other data or be held on a backup file, and is still fully accountable to the rules of data protection.
However, if you do not intend to use this data again, then it could be classed as deactivated data…
The ICO would consider data deactivated and ‘beyond use’, even if it isn’t actually deleted irretrievably, if it meets these requirements:
- You do not, and will not, attempt to process the data to inform any decision that affects the individual in any way.
- You do not, and will not, give access to the data to any other organisation for any purpose.
- The data is encrypted, or at the very least protected with appropriate security.
- You are committed to deleting the data irretrievably, as and when this becomes possible.
If you hold data that is considered deactivated, the ICO confirm that you are not obliged to grant individuals subject access, nor will they take any action over compliance with the fifth data protection principle.
Top Tip: If somebody ‘opt’s out’ from further marketing communications then don’t be too hasty to delete their data. It may be necessary for you to hold on to on individual’s data to comply with their request and the law. The ICO state that you may still hold on to personally identifiable data of individuals who no longer wish to be contacted in a suppression file, to cross reference and ensure any future communications do not get sent to them.
Griffin House Consultancy can provide you with the tools and skills you need to ensure you are ready to meet the GDPR head on and with confidence. Whether you need an audit or simply want to learn more about data protection, then we are here to help. Get in touch with one of the team today 01673 88 55 33 or email us [email protected]. We’re here to help.