Implement a sustainable program for data deletion
Data is the fuel that drives growth for many businesses today. But often, businesses collect more data than they need – or keep it longer than they should.
With the rise of privacy and data protection regulations around the world, organizations are examining the data that they collect and keep. Many regulations require that organizations minimize the data they collect and store, and delete unnecessary data upon request.
“Data is really the key asset for the business that we support today. At the same time, it can become a huge liability, mostly from a risk compliance, security, and privacy standpoint,” said Grant Thornton Principal and Leader for Cybersecurity and Privacy Derek Han.
Many global privacy regulations have demanded that organizations make data deletion a common practice, rather than just a best practice. "Data deletion itself can be very, very challenging," Han said. "On the business side, teams want to keep the data forever, for unlimited use. On the security and privacy side, we want to limit that usage and retention. So, it's challenging from both a business and technical standpoint."
Implementing a sustainable data deletion program can help organizations reinforce their standards and governance for data deletion, meet regulatory requirements, reduce the risk of data breaches and improve data hygiene overall. While organizations might initially be motivated by data privacy regulations, they often benefit from improving their data governance practice along the way.
Two types of deletion
In general, there are two types of data deletion required by privacy regulations: request-based deletion and/or data retention and purge.
Request-based data deletion
Some privacy regulations grant individuals the right to request the deletion of their personal data. Request-based deletion begins with someone who initiates a data deletion request. The individual's status and relationship with the organization determine whether the request must be honored, what type of data can be deleted upon the request, and whether any exceptions to deletion requirements apply. Data deletion exceptions can include retaining data that is required for service delivery, legal and regulatory reasons, or financial reporting.
Since the European Union (EU) General Data Protection Regulation (GDPR) took effect on May 25, 2018, many organizations have made progress on implementing a request-based data deletion program. However, challenges remain:
- A combination of automated and manual deletion processes is used, with less than 1% of organizations having a fully automated data deletion process.
- Deleting personal data in data warehouses or big data platforms is a challenge for many data-driven organizations.
- Identifying a singular requestor's records across various systems requires manual effort.
- Leveraging an IT ticketing system for data deletion fulfillment requires all in-scope systems to be onboarded to the same ticketing system, which is often not done.
- There is often a lack of a dedicated team to oversee data deletion from end-to-end.
Due to a lack of transparent data deletion governance and ownership, it is not uncommon that a request-based data deletion process is not being adopted consistently by all of the cross-functional teams or system owners in an organization.
- System inventory: This includes conducting a system/data mapping to document what personal data has been collected and where they are located.
- Data deletion exception analysis: The privacy or legal team defines data deletion exceptions, and system owners apply those exceptions to their systems.
- Data Deletion program implementation: Establish front-end request intake channels (such as email address, webform) and backend request fulfillment process, and allocate resources to carry out the process in a pre-defined timeline.
- Compliance monitoring: Once the program has been set up, the organization will define key performance indicators (KPIs) and check periodically to see if the request-based data deletion has been carried out according to the defined requirements or procedures.
Due to a lack of transparent data deletion governance and ownership, it is not uncommon that a request-based data deletion process is not being adopted consistently by all of the cross-functional teams or system owners in an organization.
Data retention and purge
Data retention and purge are more focused on deleting data according to an organization’s schedules. While most organizations have a retention policy and schedule, organizations are often inconsistent in completing the data deletions or they do not conduct data purges at all. Many organizations have made progress on data retention and purge programs due to the rising privacy requirements. They are also facing common challenges:
Organizations often lack a dedicated data retention governance team to provide data retention and purge oversight.
- Organizations tend to struggle with rationalizing retention requirements from various jurisdictions.
- Organizations tend to overlook the effort required to translate retention schedules to how the schedule can be implemented at the systems and database levels.
- There is a lack of data protection talents with knowledge of both privacy and technology to bridge the knowledge gaps between legal and technical requirements.
- Many organizations fail to monitor the effectiveness and accuracy of data purge once the retention program is place.
Often, a data retention or purge program is not implemented because the retention schedule based on legal requirements is not translated to functional or technical requirements that can be operationalized for applications or databases. This gap can be difficult to close because the organization’s data typically spread across multiple teams and systems with various technical processes and configurations.
Data retention and purge implementation
To truly ensure consistency and compliance, organizations should implement data retention and purge programs that are designed for sustainability. Effective program implementation typically involves four steps described by the diagram below:
Each of the four steps involves key teams and serves an important purpose:
- Rationalize requirements: This can include the legal privacy team identifying the retention obligations and compiling a global set of retention schedules with a risk-based approach. This global set of retention schedules can help streamline implementation, since data stored in the system are usually not segregated by regions.
- Legal hold analysis: The legal or litigation team identifies legal hold requirements and data retention exemptions. If specific data are subject to a legal hold, they must be maintained or retained for longer than the retention period.
- Implementation: This is usually a business or IT effort to analyze the retention and legal hold requirements, then apply to the system level. The purge process could be manual or automated.
- Compliance monitoring: This lets the organization check periodically to see if the data purge has been carried out according to the defined requirements, or if the purge has introduced any data integrity issues.
“It’s always very helpful to have a dedicated team to oversee the data deletion program from end to end.”
A team for ongoing success
Data deletion is an ongoing need and an ongoing responsibility. “It’s always beneficial to have a dedicated team to oversee the data deletion program from end to end,” said Grant Thornton Senior Manager for Privacy and Data Protection Fiona Ren.
In recent months, a growing number of companies, especially data-centric companies or technology companies, have transitioned the ownership of data deletion programs from privacy or legal functions to their data governance teams. Privacy and legal functions are responsible for setting up data deletion policies and data deletion escalations. The data governance teams have valuable knowledge of where data is stored and what dependencies are involved. They also help conduct data and system dependency mapping, which is an essential component of the deletion program.
By establishing a sustainable data deletion program, organizations can improve their compliance with applicable privacy and data protection requirements as well as enhance data governance and data protection posture at the same time.
Contact:
Derek Han
Principal, Cybersecurity and Privacy Leader, Risk Advisory Services
Grant Thornton Advisors LLC
Derek is a Principal in the Advisory Cyber Risk Services Group. Derek has eighteen (18) years of professional experience in information security and IT risk consulting.
Chicago, Illinois
Industries
- Technology, media & telecommunications
Service Experience
- Advisory
More advisory insights
No Results Found. Please search again using different keywords and/or filters.