The answer is simple; delete it (unless retention is required by law or contract)! Virtually every company processes personal data in some form or fashion. The term “processing” is defined broadly under most data protection laws to mean “any operation or set of operations which is performed on personal data.” The general rule is that when a business’ processing of personal data is complete, the data must be returned or deleted. Typically, data deletion arises:
- when required contractually (i.e., in data processing agreements to comply with applicable data protection laws such as Europe’s General Data Protection Regulation’s (“GDPR”) Article 28(3)(g));
- when requested by data subjects exercising their “right to be forgotten”/deletion/erasure under applicable data protection laws. This means that, in some cases, even if a company’s processing of personal data is incomplete, the processing can be cut short if a person requests that their data be deleted.; and/or
- as a requirement to do business with other companies. In some instances, data deletion or a process for deletion must exist to do business with other entities. For example, Facebook requires companies to have a policy/process for individuals to request their data be deleted (even if there is no applicable law imposing this requirement on the company) if a company wants individuals to create an account on the company’s website using their Facebook credentials.
Because data deletion is an obligation imposed by law or contract, it is something that all companies must do. The GDPR, HIPAA, and other laws and industry standards require or encourage that data not be retained indefinitely. While data protection laws like the GDPR, the UK’s Data Protection Act, and California’s Consumer Privacy Act (“CCPA”) have been in force for years, organizations around the globe still struggle to comply with deletion requirements. Balancing future business and consumer needs with the benefits of deleting data can be challenging for any business. The best way to ease the data deletion process is to limit the data collected.
Deleting personal data and data minimization go hand and hand. The less data a company has in its possession, the less onerous the task of deleting personal data becomes. Companies should focus on collecting and retaining only the personal information necessary to perform their business obligations.
Best Practices for Deleting Personal Data and Data Minimization
Ultimately, data minimization and deletion are risk strategies. While we often tell our clients, “the best security is not having the data in the first place,” companies should consider the following best practices when determining what data it collects and retains.
- Put Your Data on a Diet. Less is more, indeed. Companies should assess the type of personal information it is collecting and see how they can reduce this data set, especially when it comes to sensitive personal information.
- Identify the Purpose of Data Collection. Ask, “what is the purpose of this data?” Every business should have a purpose for the data collected. Companies should avoid collecting data solely for the sake of collecting data. Some examples of unnecessary data collection practices are keeping data solely because:
- “Maybe someday we’ll use it for [insert purpose here];”
- “The data was on our old form, so we just kept it;”
- “The company has always done it this way” (However, there is a requirement for it to be done so (e.g., collection of SSNs);” and
- “Everyone else seems to have the data, so why can’t we?”
Of course, none of these are good ideas and are hardly real policies. Yet, this is what is often in practice and the reasoning behind it.
All unneeded data should be discarded.
- Identify Where Personal Data is Located. Know where personal data is located (including third parties) and ensure you have a plan to delete it when the appropriate time comes.
- Implement a Data Retention Policy. Formalize a written policy and applicable procedures for deleting data. These should communicate to employees:
- How personal data should be stored and where;
- The types of data to be deleted;
- The maximum timeframe certain types of data should be retained; and
- How to respond to data subject deletion requests without undue delay
- Delete Data When No Longer Needed. There is no need to hold on to personal data “just in case.” Unless otherwise required by applicable law or contract, do not retain personal data for longer than necessary. Once your business needs are met, the data should be deleted (or de-identified) as soon as possible. Lastly, do not forget to delete backed-up data that is no longer needed!
- Conduct an Annual Data Purge. In accordance with your policies and procedures, commit to deleting personal data at least once every 12 months or more often.
- Remember: Not All Data is Digital. Data can be stored in various forms. Make sure to remember physical or hard copy data and where it is stored. You do not want 10-year-old files with personal data lying around if they serve no purpose.