GDPR - data cleansing, retention and backups
With the GDPR regulations just around the corner, we're looking at how to keep your data bang up to date, how, when and where to retain data, and the importance of backups within your responsibilities.
Data cleansing, minimalisation and retention
Ok, we'll admit that the topic of data cleansing, retention and backups doesn't make for the most enthralling of blog posts, but it's a necessary evil in making sure you comply with the GDPR coming in on May 25th.
Data inevitably decays over time - births, deaths, marriages, address changes, role changes and so much more. Continually cleansing data is good for your business or organisation anyway, to ensure information you hold is correct, complete and not duplicated.
But with GDPR, it's important to clease data that is not relevant or that isn't necessary for you to hold so that you can comply with the regulations.
Data cleansing does, of course, actually make good business sense. Up to date and necessary information alllows you to operate in a more streamlined way, and if your marketing data is up to date and in line with GDPR you're not wasting time and budget on engaging people who don't want or need to be contacted by you.
It's important to audit what data you have, where you got it from, when, why you have it and if there are any duplicates or unneccesary information. There's also a need for a retention policy and process.
The GDPR states that data shouldn't be kept for longer than is necessary for the purpose or purposes it serves. As a business you need to review the length of time you keep different types of information, the reason/s that you hold this data as well as a really robust policy of how you delete information that is no longer needed.
With the GDPR it's vital to know how often the information you hold is backed up and where to. Does the information live online or on a laptop or external drive? How is any hardware secured? There are lots of questions, but providing you get a process and policy in place, there's no need to worry.
Here are some key things you need to consider as part of your backup process:
- Make sure you keep a regular backup of important data - after all it's probably one of your greatest business assets.
- Know where you're storing your backups, if it's on a removable hard disk or tape make sure there's always a copy off site. If it's in the cloud it's worthwhile double checking where the data is geographically.
- Protect backup files with encryption if possible, if backup files aren't encrypted securely make sure they're kept in a secure location.
- Don't keep backups longer than they're necessary. Keep the last few copies, you shouldn't need any more than that (otherwise you're probably making an archive, not a backup).
- Finally, make sure you have a recovery process. Check periodically that the backups you have can be restored if you need them. Don't wait until it goes wrong to find out your backups haven't been working!
There are a couple of questions we regularly get asked, so here's our take on them...
If I receive a data removal/erasure request, how can I remove a single users details from a backup archive?
Good question. Firstly, this isn't an automatic right, there are circumstances where it can be refused, so you might want to check that first. In answer to the question, in most cases you can't, or it would be impractical in the amount of time it would take. So what we suggest instead is having a clear policy that if your data is removed what the timeframes will be for the data to be gone from different systems and backups.
If I store my backups in the cloud, is my cloud provider a data sub-processor?
That depends. For your cloud provider to be a data sub-processor they would need access to your data. So if your backup is encrypted before being pushed to your cloud provider, and they don't have the key to unencrypt the data, then no, they aren't processing your data. If on the other hand, the data could be read by your provider, the answer can be much more complicated and we'd suggest to be safe that you consider them as data sub-processor.
Five top things to do
- Set out a policy of how you'll deal with the data you hold, what data you hold, how long you'll hold it, what you do with it and when you'll delete it.
- Don't collect data you don't need, if you're asking someone to sign up to your email list, do you need to collect their phone number too?
- Think about how you'd deal with a request for access to data, a removal request or one of the other individual rights.
- Make sure you have backups (which work) and you know they are stored securely, and where.
- Get help if you need it
If data management isn't your thing, get in touch with us on 01904 500500.