The EU General Data Protection Regulation (GDPR) introduces the biggest shakeup in data protection requirements in over 20 years. This isn’t like other regulatory changes seen in modern times. The GDPR is an entirely new baseline in data protection. It seeks to improve the way in which personal data is managed and protected – wherever it is.
One of the most important, complex and time-consuming parts of your GDPR preparations is confirming how (and more importantly where) personal data is being used, processed and protected within your organisation and beyond the boundaries of
your business jurisdiction.
To do this you must:
- Map your data assets and flows
- Update and periodically review supplier contracts
- Prepare processes in advance
- Cut down on unnecessary storage/retention
Preparations for the changes are a marathon, not a sprint therefore understanding the individual areas and acting on them now will benefit you in the long term. Prepare now and minimise the level of operational disruption later.
In this case we will focus on cutting down unnecessary storage and retention of data assets. By cutting the volume of data you hold you are reducing the risk to your organisation. With data storage relatively inexpensive, it’s tempting to hold onto data “just in case”. But getting rid of inactive data that you don’t need (or legally shouldn’t be retaining anyway) can make the difference between a breach being an inconvenience and a total disaster.
When Sony pictures suffered a serious data breach in 2014, spectators called it “the hack of the century”. With an estimated 11.8 million sensitive and personal data entries compromised, it remains one of the highest profile hacks of all time. Had they been more rigorous about deleting inactive data, that number could have possibly been as low as 7 million records. A serious leak by anyone’s standard but it’s a 40% reduction and would have been far less damaging.
If you’re one of the millions of businesses around the world that retain too much, it is something you need to resolve. Assess the data you have and the business justification for retaining it (this may be to meet other legal, regulatory or contractual obligations). Document and define the retention and archive rules for that data then build processes to remove data that exceed these requirements. In short, Insist upon a “sell by date” – and enforce it.