A reduction in the amount of stored data equates to a reduction in data and business risk; therefore the less data is held the less there is to compromise – simple
With data storage capacity relatively inexpensive, it’s tempting to hold onto data “just in case”. But getting rid of inactive data that you don’t need (or legally shouldn’t be retaining anyway) can make the difference between a breach being an inconvenience and a total disaster.
If you’re one of the millions of businesses around the world that retain too much, it is something you need to resolve. Assess the data you have and the business justification for retaining it (this may be to meet other legal, regulatory or contractual obligations). Document and define the retention and archive rules for that data then build processes to remove data that exceeds these requirements. However, where third parties are involved, this can become a much harder task.
INSIST UPON A WRITTEN “SELL BY DATE” – AND ENFORCE IT
If you’re passing data on to a third party, you have no idea how long they’ll keep it. If you haven’t explicitly stipulated how long they can retain your data as part of your contact or service level agreement with them, you could be held liable for its loss.
Building retention clauses into your contracts with third parties is an essential part of protecting yourself against the legal implications. Not just from being in breach of the Regulation, but from actions that can now be brought by data subjects themselves.
If you haven’t already built those kinds of clauses into your third party contracts, now is the time to start doing so – and to revise your existing agreements.
It’s important to ask the following questions:
+ Are instructions in place that clearly define what the processor can and cannot do with the data?
+ How do third party suppliers maintain the data’s accuracy?
+ Is data removed from systems and processes at the end of its legal retention period?
+ Does the contract include an exit strategy that facilitates you being able to reclaim the data if you terminate the business relationship?
+ As the controller, how do you verify what data processors are meeting their responsibilities?
If the answers you find aren’t satisfactory, it’s up to you to make the third party clean up their act as part of your contract with them – You are accountable for any loss.