Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Data deletion/sanitization is one of the more challenging tasks for any privacy program. Regulatory requirements often include the need to either destroy data after a certain period or after an engagement with a client or vendor has concluded. New regulations
everywhere are also requiring businesses be able to delete a users' data at the user's request. With ongoing system backups and the tendency of businesses to over collect personal data, risk managers must balance data collection with data destruction
policies that meet privacy requirements.
This piece explains data privacy challenges and provides methods to align your data deletion processes with your regulatory/compliance responsibilities.
With the high number of data breaches and the increasingly onerous legal and regulatory climate, privacy has taken center stage for many IT and business leaders. Regulations have introduced stiff penalties for violations, making the concept of holding
unnecessary personal data both risky and potentially expensive in the event of a breach. But collecting as much personal data as possible has become a pervasive business mentality, making it progressively difficult to delete information when a relationship
no longer exists. Compounding this problem is three decades of evolution in the archiving, backup and recovery space, making it nearly impossible to truly “forget” an individual or customer.
To address this challenge, companies that don’t have a formal privacy program in place should first consider developing a privacy framework and performing a gap analysis to understand
their risks. Make sure to understand the privacy requirements you are trying to comply with, but also remember that additional state and federal regulations are sure to bring new requirements in the future. Establishing a framework ensures you can
track your privacy obligations and build a program that meets these requirements.
Privacy risk is based on multiple factors, including impact to customers, financial consequences, likelihood of a breach or any combination of these. A good privacy framework should:
Ultimately, the best privacy defense is making sure you do not collect more information than the business needs to support its objectives.
READ: What is the NIST Privacy Framework
Data deletion isn’t always straightforward. Consider the following examples:
As with any privacy remediation task, the process of finding and deleting sensitive data should be risk balanced. Some approaches that may ease the deletion process include:
READ: Data Governance 101: Establish a Solid Foundation
Full deletion of personal data is not the only way to meet business and privacy objectives. Many organizations use data scrubbing techniques that neutralize the sensitivity of the data. These include:
Personal data is omnipresent for most organizations. Even the best mapping and remediation strategies may leave some data sitting on an employee’s laptop or stored in a file repository that can be overlooked. To ensure your data deletion processes
align with your compliance requirements:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.