When did you last weed your data
Are you a hoarder? Many people are, whether they realise it or not. They tend to save things because they might come in useful or for sentimental reasons or because they simply don’t notice the volume of things they’ve gathered over the years.
For example, when two people set up house together, they bring all their possessions with them and inevitably there are duplicates (two sets of saucepans, two potato peelers, two irons etc.) with neither wanting to get rid of theirs. Whilst very few people will become the kind of obsessive hoarder whose house is stacked high with newspapers, magazines and other things to the extent that the local authority has to send in professional clearance experts, most of us have cupboards, lofts or sheds which are full of things we haven’t used or possibly even seen for a long time; moving to a new house is often the only time people take a long hard look at what they’ve accumulated and have a clear-out.
The same problem exists in the information world – if anything, it’s worse. Every day, organisations generate vast amounts of data requiring storage. Additionally, they often have historic data going back years; company mergers or takeovers generally result in the resulting organisations acquiring all the information of the component companies and multiple mergers can mean multiple datasets. In the last few years, the amount of storage required by large organisations has gone from being measured in gigabytes to being measured in petabytes. The response to this problem has been to buy more and more storage space, whether it be more local storage (the average new laptop has a 1 terabyte hard drive) or more cloud storage; it’s rather like buying a larger house because the family has outgrown the current one – both are expensive. However, this doesn’t address the root problem – do you actually need all the data you have collected?
With the advent of big data analytics which aim to gain useful insights from the vast quantities of data held and turn these into competitive advantage, there’s often an argument made for collecting and retaining as much data as possible in order to maximise the potential benefit to the organisation. However, data requires good information management; old, redundant or inaccurate data is of limited value. Many organisations lack strong information management practices: as a result, there are quantities of data stored on legacy systems or which were created by staff long since retired or moved on and where no-one really knows what information they left. The retention of old data on out-dated technology can pose other problems; TalkTalk was fined £400,000 last year by the Information Commissioner following an incident in 2015 when hackers exploited vulnerabilities in 3 webpages inherited from Tiscali (taken over by TalkTalk in 2009) and accessed a related database containing the personal details of over 150,000 people; solutions were available for the vulnerabilities in both webpages and database but neither had been updated.
The imminent introduction of the GDPR is a powerful driver towards addressing the issue of holding excessive quantities of personal information or retaining data which is out of date. The existing Data Protection Act 1998 requires that personal data should be adequate, relevant and not excessive (Principle 3), be accurate and, where necessary, kept up to date (Principle 4) and not kept for longer than is necessary (Principle 5). The GDPR carries these principles forward and introduces new rights for data subjects, including the right to have their data supplied in a structured, commonly used and machine-readable format to them or to another controller of their choice (portability) and the right to have their data erased without undue delay in certain circumstances (“right to be forgotten”). The time allowed for responding to the exercise of these rights and others such as subject access is set at one calendar month, compared to the current subject access time limit of 40 days. Failure to comply with the requirements in respect of data subjects’ rights can attract the fines in the higher tier of 4% of annual global turnover or £17 million, whichever is greater.
It would seem fairly clear that organisations need to get their information management processes in good order before the GDPR comes into force. One part of this is looking at the personal data they hold and asking themselves hard questions – why are we holding it; do we need it; can we justify retaining it; would continuing to hold it be compliant with GDPR? Now is a good time to bite the bullet and dispose of data where the legal basis for processing is not clear or where the data is no longer relevant in the context of current processing activities. Digging through old data stores may be an unappealing prospect but think of the sense of satisfaction at the completion of a hard job well done. Spring-cleaning your information and noting or rationalising its location should also make it easier to find personal data in response to subject access, portability or deletion requests. Going forward, ensuring that the organisation has a data retention schedule and formal processes for recording data, storing it, reviewing it at regular intervals and deleting/weeding it when its retention is no longer necessary or justifiable will form part of good ongoing information management.
If you would like advice on preparing for the incoming GDPR, give us a call (01242 225699) or send us an email (email@example.com) and find out how we can help you.