The best-selling book by Japanese cleaning consultant Marie Kondo counsels against keeping things that don’t “spark joy.” For an organization, cleaning house to get rid of unnecessary personal data clutter has never been more important.
Personal data is susceptible to unauthorized access and use, so keeping it beyond its useful life presents risk to the organization (and the data subject) without corresponding joy to either. What is more, organizations are increasingly obliged to provide consumers and even employees with detailed reports about their data, which can be expensive and time consuming (if not awkward), increasing the costs of keeping it and decreasing its joy potential.
At the IAPP, we took inspiration from the European Union’s General Data Protection Regulation to do some data housekeeping. This post describes the legal, regulatory, and practical motivations for undertaking data deletion exercises, and shares one way to get started.
Implied and express legal motivations for data housekeeping
The GDPR addresses data retention and deletion very simply, and we first blogged about these responsibilities in the fifth installment of the Top Ten Operational Responses to the GDPR. In short, Article 5 requires that personal data “be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
The GDPR is of course not the only law that is intended to inspire, if not require, data minimization and regular deletion. Principle Five of Canada’s Personal Information Protection and Electronic Documents Act also requires that information be kept only so long as necessary for the original processing purposes. Colorado law similarly requires that paper or electronic documents containing personal information be destroyed when they are “no longer needed.” The Federal Trade Commission’s jurisprudence on reasonable data security also condemns organizations who suffer breaches of data that should have been deleted or destroyed.
Complicating data retention habits are requirements such as data subject access and erasure rights under the GDPR’s Article 15, which compel controllers to disclose to data subjects all the personal data processed “concerning” him or her. The few limitations on this right include interpreting narrowly “personal data concerning” the data subject and avoiding harm to the rights and freedoms of others. Under the new California Consumer Privacy Act, consumers have data access (and deletion) rights similar to GDPR’s, with few limitations on what must be disclosed to the consumer upon request.
Indeed, regardless of data minimization principles, it seems compliance with data subject access and erasure requests may finally be the motivating factor that compels organizations to undertake data housekeeping. According to the IAPP-EY Privacy Governance Report 2018, 75 percent of respondents have undertaken data deletion exercises in response to the GDPR, and another 21 percent plan to soon.
Getting started with data housekeeping
Like all organizations, the IAPP has a data retention policy that sets forth how long certain records are required to be kept under relevant accounting, tax, employment or related laws. By implication, records on this list should not be kept beyond those outside limits, but little is often said about all the myriad documents created that don’t fall into those regulated areas.
For example, what should be the retention policy for a paper copy or a PDF of a 2008 newsletter that served as the early predecessor to the Daily Dashboard? Do we need to keep just one version of it (the final, not the drafts)? Do we even need that one?
Another common issue is the habit of storing documents on the laptop instead of on the shared server. (Since this is a confessional, I will confess that I do it occasionally, too, especially when I need to work on a document offline while traveling. Lucky for me and the IAPP, I do not tend to process personal data in my work.)
Here is how the IAPP started a new deletion tradition:
Step one: Convene the Privacy Working Group. Should we place this responsibility on business unit managers (we call them "directors") and have them report back on compliance by a certain date? Or, should we have a single day-long exercise? For the IAPP, we decided a single day would be easiest and most effective. Plus, it gives us a chance to celebrate, and we never turn down a party!
Step two: Work closely with our IT team to ensure an effective strategy. We decided the goal involved convincing everyone to move documents from their desktops to the shared server, and then to clean up documents on the server. A little bit of budget went to employing our vendor’s scanning tool to search for personal information and personal data in stored files, which our security officer then flagged to the respective document owners. This helped us target our deletion efforts to the most critical items, while we also encouraged overall housekeeping at the same time.
Step three: Communicate the plan to the staff. This involved a draft email memo circulated to the highest level of management for approval, and ultimately to the staff. We also engaged the marketing team to put together fun signs for walls and stalls to remind staff of the importance, in a classic IAPP way.
Dear IAPP Team:
As part of our commitment to good privacy and security practices, we’re having a Data Deletion Day event next [date]. The goal of this event is for all IAPP employees to take the time to clean up electronic and paper records – especially those that contain personal information – that we just don’t need to keep around any longer. We also want to encourage and remind everyone to keep electronic records on the Shared drive rather than on desktops. Please keep this email for reference but note there are some actions you need to take before the big day.
What: All IAPP employees will review documents/records/files (electronic and paper copies) under their control; destroy or delete those that are no longer necessary or relevant to ongoing business processes; and move sensitive information into a folder designated for their department on the Shared drive.
When: By end of day [date]: all documents saved on Desktops or external drives should be saved to either a private or public Shared folder so that the Protect Program has time to scan and report back on these documents prior to Data Deletion Day.
Protect Program Reports: Between [these dates], our security personnel will run reports looking for personal information in each Shared folder (public and private) and provide reports to Directors and employees on which files are flagged. These files should have priority for review and deletion (see below).
Delete/destroy files that:
- Contain credit card information, social security numbers, or other highly sensitive information (unless subject to attached record-keeping requirements).
- Contain names or other contact information, especially if over three years old, a duplicate, or otherwise no longer necessary for an ongoing business purpose.
- Are drafts or duplicates.
- The IAPP has no business purpose to keep the information and it has no historical or archival value. When in doubt ask your Director.
Electronic Files:
“Delete” means (a) moving a file to a “recycle bin” or hitting the “delete” key, and then (b) emptying the bin/trash.
File types: Word, Excel, PDF, Access, images (jpg), video
Locations: IAPP desktop computers (My Documents, Desktops, Pictures, Downloads), Shared “Private” folders, file-share services like Google Drive or Dropbox, flash drives, and the “Home” drive if relevant.
Egnyte Shared folders: Directors are responsible for confirming clean-up of files in relevant Shared folders.
Paper records (printed documents, invoices, rosters, bills) should be recycled or, if they contain personal information, shredded.
What about emails? We need to clean them up, too, but we’ll do that later this year.
Relax. The IAPP will maintain a backup for 180 days after August 30 in case a document needs to be recovered. After that time, it will be permanently deleted.
Questions? Ask the DPO at dpo@iapp.org.
Conclusion
I can report relative success. Although the number of gigabytes of data stored in our shared drive didn’t decline by much, we attribute this to compliance with our requirements to move files onto the shared drive from desktops. A repeated scan of files containing personal data showed far fewer hits and personal conversations with those who maintain the most sensitive files (the few that we have (in accounting, primarily)) revealed we covered a lot of ground in ridding ourselves of items that — if improperly disclosed — would spark the opposite of joy in us and others.