Five years have passed since the introduction of GDPR in Europe, heightening awareness about consumers’ personal data in the hands of businesses. This in turn has paved the way for increased regulations outside of Europe, including the CPRA, and individual state mandates which grant consumers, patients, and employees the power to request the deletion of their personal data from a company’s records. Businesses must respond swiftly to these requests while also balancing records retention and other legal requirements. The CPRA, as an amendment to the CCPA, and the GDPR both emphasize transparency and the rights of individuals concerning their data. However, despite looming penalties, the lack of significant enforcement of these regulations coupled by the extreme difficultly of properly implementing these controls, has led many businesses to lag in implementing proper controls for compliance.
The Downside of over retention of personal data
“Keeping everything forever, just in case…,” Is No Longer an Option
Until recently, businesses would just keep all data and delete nothing, as you “never know when you’ll need some data”. It’s simply easier to just keep everything. Unfortunately, over-retention of data, and failure to perform personal data deletion in particular, now has consequences:
Regulators are starting to crack down on over-retention of personal information
2023 has been a busy year for the FTC, as they started cracking down on companies for not complying with data deletion regulations. Microsoft, Amazon and T-Mobile alone face fines totaling over $250 Million for violating COPPA and illegally collecting personal information of children.
The FTC also fined Drizly, a subsidiary of Uber, along with its CEO for failing to implement procedures and technologies to inventory and delete expired consumer information. This is particularly concerning, as The FTC, SEC and state attorney generals decided not to stop at just holding the company accountable, but escalated the matter by holding senior executives directly accountable for their lack of governance.
In this case, the FTC held Drizly’s CEO James Cory Rellas directly accountable for a significant data breach and applied an order personally to him that would require him to implement an information security program at future companies if he moves to another organization which collects personal data. “This action is part of the FTC’s aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures.”
Data Hoarding can be expensive
Storing vast amounts of data necessitates substantial infrastructure, be it on-premis servers or cloud-based storage solutions. As data continues to pile up, these storage costs add up and can quickly skyrocket. It’s not just the direct financial cost; the complexity of managing increasing volumes of data can demand more specialized software, increased security measures, and even necessitate hiring additional personnel with the expertise to manage and interpret the stored data. Purging unnecessary data has been proven to save significant costs.
Data Breaches Can be particularly damaging if they expose data you’re not supposed to have
Data breaches have become all too common. While any data breach is harmful, revealing information that a company shouldn’t even possess in the first place amplifies the repercussions tenfold and can be especially embarrassing. Such breaches don’t just expose vulnerabilities in an organization’s security systems; they can also expose internal data privacy handling and (lack of) controls.
When a company is found to be in possession of personal data against regulations (and usually against public commitments), it raises pressing questions. Why was this data collected? How was it used? Why was it retained past its useful life? Why was a process for deletion of personal data not implemented? This can put the organization under intense scrutiny, potentially leading to lengthy legal battles, hefty fines, and regulatory sanctions as mentioned above.
Moreover, the reputational damage can be long-lasting. Customers and partners begin to question the integrity and ethics of the organization. In an era where consumer trust is paramount, the revelation that a company is hoarding personal data secretly and without reason can be a death knell, leading to lost customers, broken partnerships, and a plummeting stock price.
Data Deletion is Hard
Data deletion is a complex affair, interwoven with legal, technical, and organizational considerations. While deletion of personal data might seem straightforward, the reality is much more complex.
First you need to find the data
Large-scale data further complicates the deletion process. In the age of vast datasets spanning terabytes to petabytes, efficiently and safely deleting data becomes a non-trivial task. General data protection regulations mandate full deletion of all personal data data when it’s no longer relevant or if a person specifically asks for it. Given that this data might be dispersed among various departments, devices, databases, and in diverse formats and types, actually finding this data can be a seemingly impossible task. Data discovery tools can assist in this effort to a degree, but their scope is restricted as they only search for data that the organization explicitly identifies as important, which usually causes the organization to “miss” and fail to delete significant personal (dark) data, opening them up to regulatory penalties.
Deletion can be a bureaucratic nightmare
Once you find the data you want/need to delete, it’s not as simple as just hitting a button. There are legal ramifications to deleting enterprise data. Distinct sets of data might be tied to various business departments, and different team members might depend on or oversee them. One of the biggest challenges of purging data on an enterprise level is implementing appropriate controls that allow a proper authorization and confirmation processes. Data can only be properly disposed of once all involved parties approve. However completing this approval process can be very time consuming and can significantly impede an organization’s ability to meaningfully purge toxic data.
The Solution – Purging ALL over-retained personal data through NVISIONx’s data Inventory platform
The Nx platform performs a full data inventory and classifies your data at scale. Not just some data, ALL data. By creating a master catalog of all your data, you can query on demand in seconds to identify every instance of any identity. Our data minimization analysis also correlates your records schedules and legal holds to ensure other legal mandates are not being impaired. Using our collaborative workflow automation, business and IT stakeholders can easily fulfill the “right to be forgotten” or quickly process data subject access requests (DSARs).