Why it is time to ditch that hoarding habit when it comes to data.
Letting go is hard. Who knows whether that washer, or piece of string, or unidentifiable piece of moulded plastic will come in handy one day? Perhaps you will be able to fit into those jeans. Maybe legwarmers will come back into fashion. Most people fail the Marie Kondo test*.
Sadly, many businesses do too. Except that instead of drawers and cupboards filled with items that should have been recycled long ago, they have filing cabinets, SharePoint folders and databases bursting with personal data that they no longer need.
Unfortunately, this is where the analogy breaks down. If, heaven forbid, you were burgled and somebody stole the contents of your junk drawer or the wardrobe in the spare room, you’d probably think it a blessing. But when hackers compromise your network and make off with personal data, real people suffer real harm.
Retention management – the art and science of getting rid of data – is often the neglected Cinderella of data protection, but it’s by far the easiest way to reduce your exposure. Information you don’t have can’t be stolen or misused, and the less data you store the easier it is to organise and protect.
Where to start
If you have a data hoarding habit, it can be very difficult to know where to start. Oddly, the easiest thing is often to start with new data: as you collect it, assign it a lifetime and implement a process for getting rid of it. This helps you learn what you do and don’t need to keep and get used to the idea of deletion. Once you have the routines in place, you can start applying the same thinking to historic files.
However, sometimes you just have an overwhelming volume of old data – too much to go through in detail. This is where you need to be bold. Don’t rely on urban myths about how long you need to retain information – do some proper research into what you are legally required to keep, and for how long. Find those files, put them aside, and then brace yourself and get deleting in bulk.
Remember, too, that retention management isn’t just a binary decision. You can delete parts of a file – this is easier with digital than paper, of course. For instance, when an employee leaves you have to retain their payroll information for three years after the end of the tax year (in the UK). But you can remove the employee’s bank details as soon as you’ve paid them for the last time and delete their performance records once the window for an unfair dismissal claim has passed. Be smart and you’ll find retention management is less daunting.
Finally, if you can’t delete: redact! Sometimes you have to keep even sensitive data for long periods – consider for example passport copies used to evidence the right to work. Documents like this present a real risk to data subjects if they breach – identity theft above all.
The Securys solution
So, what to do if you must retain them? Use Acrobat or a similar tool to put a watermark across the document that identifies your organisation and the purpose of the document; then no-one else can re-use it. Make sure you save any redacted files with a password to prevent editing, or use “fill and sign” to create a read-only version.
Along the same lines, where you have systems that don’t allow deletion – many HR and payroll systems, for instance, make it very difficult to delete individual records – don’t forget the all-important “x” key on your keyboard. Overwrite sensitive data you no longer need – NI numbers, personal phone numbers, identity document details – if you can’t delete them.
Always think how the personal data you have might be misused in a breach, and work to minimise that possible harm by deleting what you can, redacting what you can’t and encrypting what remains.
*The Marie Kondo method encourages tidying by category – not by location – beginning with clothes, then moving on to books, papers, komono (miscellaneous items), and, finally, sentimental. items.