How to Align Data Deletion Policies with Privacy/Compliance

Data deletion/sanitization is one of the more challenging tasks for any privacy program. Regulatory requirements often include the need to either destroy data after a certain period or after an engagement with a client or vendor has concluded. New regulations everywhere are also requiring businesses be able to delete a users' data at the user's request. With ongoing system backups and the tendency of businesses to over collect personal data, risk managers must balance data collection with data destruction policies that meet privacy requirements.  

This piece explains data privacy challenges and provides methods to align your data deletion processes with your regulatory/compliance responsibilities. 

Data Privacy Is a Growing Concern   

With the high number of data breaches and the increasingly onerous legal and regulatory climate, privacy has taken center stage for many IT and business leaders. Regulations have introduced stiff penalties for violations, making the concept of holding unnecessary personal data both risky and potentially expensive in the event of a breach. But collecting as much personal data as possible has become a pervasive business mentality, making it progressively difficult to delete information when a relationship no longer exists. Compounding this problem is three decades of evolution in the archiving, backup and recovery space, making it nearly impossible to truly “forget” an individual or customer. 

Establish a Privacy Framework 

To address this challenge, companies that don’t have a formal privacy program in place should first consider developing a privacy framework and performing a gap analysis to understand their risks. Make sure to understand the privacy requirements you are trying to comply with, but also remember that additional state and federal regulations are sure to bring new requirements in the future. Establishing a framework ensures you can track your privacy obligations and build a program that meets these requirements. 

Privacy risk is based on multiple factors, including impact to customers, financial consequences, likelihood of a breach or any combination of these. A good privacy framework should: 

• Support the business decision to hold or minimize personal data collection by estimating the business value versus privacy risk. 
• Address how data is collected and processed. 
• Address privacy notifications and capture consent. 
• Develop data collection and retention policies that prioritize privacy. 
• Create and maintain context-aware data stores to ensure the organization can act on personal data held in backups. 

Ultimately, the best privacy defense is making sure you do not collect more information than the business needs to support its objectives. 

READ: What is the NIST Privacy Framework 

Issues With Data Deletion 

Data deletion isn’t always straightforward. Consider the following examples: 

• Structured data: Purging personal information from structured storage like databases sounds simple, but many applications don’t fully delete the data. Instead, they mark the record as “deleted” and then hide it from the user interface and search results, which helps maintain the referential integrity of the database. 
• Unstructured data: This is even harder to expunge, because it can be found on file shares, cloud storage and endpoints like laptops and mobile devices. Data might also be shared with third parties, making the control of this information only possible through contractual language or shared workspaces. 
• Data backups: These represent an especially difficult challenge. How can you identify which backups contain records required for deletion? There may be multiple copies of data across multiple systems, the cloud and third-party vendors. Must organizations dig through hundreds, if not thousands, of data stores across years of what could be daily backups to remedy a single record? 

Ways To Ease Data Deletion 

As with any privacy remediation task, the process of finding and deleting sensitive data should be risk balanced. Some approaches that may ease the deletion process include: 

• Indexing files on file shares and other systems: This can help identify the most likely places sensitive data is stored, so these backups can be treated separately from general system backups. 
• Getting vendor help: Because finding all backup instances isn’t practical for most firms, data security solutions can help discover both structured and unstructured data that might represent a privacy risk or data that should have been previously deleted. Microsoft also offers some native discovery tools for organizations using the Microsoft 365 cloud with E5 licensing. 
• Adding DLP: Using a DLP solution can also capture personal data or stop an email from being sent, which can help prevent privacy exposure and fines. 

READ: Data Governance 101: Establish a Solid Foundation 

Alternatives to Data Deletion 

Full deletion of personal data is not the only way to meet business and privacy objectives. Many organizations use data scrubbing techniques that neutralize the sensitivity of the data. These include:

• Data anonymization: Anonymization is a process that removes or replaces the contents of sensitive data fields so that the data is no longer linked to an individual (and it can never be linked in the future). While not perfect, anonymization allows a company to pull business value  from data without keeping specific information that could result in a privacy violation. 
• Data pseudonymization and tokenization: Pseudonymization is like data anonymization, but the process is reversible by design. The fields that would have been deleted or replaced in the anonymization process are stored separately with additional security controls. This process is commonly used in the health care industry, where medical tests are sent to third parties, but the patient’s identity is withheld and later reintegrated when the results are returned. Pseudonymization is synonymous with tokenization, which has been used for years by the PCI to protect payment card information. 

Get Control of Your Data   

Personal data is omnipresent for most organizations. Even the best mapping and remediation strategies may leave some data sitting on an employee’s laptop or stored in a file repository that can be overlooked. To ensure your data deletion processes align with your compliance requirements: 

• Use multiple controls: For example, combining strong data destruction policies with effective DLP and data anonymization and/or tokenization can help ensure your sensitive data is adequately protected. 
• Plan to discover and detect failures: Data is so pervasive that even the best data governance processes can miss something. Have a plan in place to detect failures and take corrective action. 
• Keep privacy risk at the forefront: As data privacy becomes a bigger concern, organizations should revisit their data collection practices and balance them with privacy risk. Build an environment that places privacy ownership in the hands of the business and have controls in place that can detect and react to issues quickly. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.