Jasmit Sagoo, Senior Director, Head of Technology UK & Ireland at Veritas Technologies, discusses the role of the data protection officer (DPO) in data deletion.
The advent of the General Data Protection Regulation (GDPR) may not have been the catalyst for change many had hoped for, but we shouldn’t write it off just yet. This year, the newly-empowered ICO has levied fines in excess of £300 million against companies for breaching data protection law. GDPR has teeth, and organisations mustn’t ignore them.
For many, however, GDPR has become synonymous with subject access requests (SARs). Some may be mistaken in believing that, so long as they can share a customer’s data with them on request the organisation has done enough to achieve compliance.
Yet SARs are only the tip of the iceberg. GDPR obliges businesses to consider every article concerning data protection – this includes implementing all measures necessary to protect employee, partner and customer data. As organisations grow, deletion becomes a crucial part of data protection.
However, many organisations have become paralysed by the fear of the unknown. They’re unable to formulate strong data retention or deletion policies because they lack insight into the data they carry. To pursue a successful data deletion strategy, you need insight into all the data you own and the confidence to know what you can delete and when, without consequence.
Yet, in today’s highly fragmented IT environments, insight and confidence are in short supply. The data protection officer (DPO) has both an opportunity and a duty to step in.
Data management in the dark
The root of the problem is that enterprises are struggling to adapt their IT environments to a regulatory paradigm they weren’t built for. Established businesses, which have existed long before GDPR passed into law, were under no legal obligation to protect the bulk of the data they collected.
As a result, databases grew in number, size and complexity while data management was rarely treated as a priority. Many now face the challenging task of making their opaque, legacy IT infrastructures compliant. The arrival of the cloud has offered an opportunity for many to centralise all data in a single, secure location.
However, this is not feasible for everyone. A great deal of data, such as paper and handwritten records, are not easily digitised, while other business-critical data needs to remain on-premises. Much of it belongs to loyal, long-serving customers who have been with their service provider for decades: you simply can’t make that data disappear.
Furthermore, the growing popularity of hybrid and multi-cloud environments – where data is stored across a range of physical and multiple cloud environments – means that data will still exist in multiple, often disparate locations in an organisation for years to come.
This has created a quandary for employees. Staff regularly struggle with an overabundance of data sources and tools, while also coping with a lack of data strategy and backup solutions.
As a result, more than a third (36 per cent) of IT leaders say their employees are less productive due to siloed data management practices and, on average, spend two hours a day searching for the data they need.
Many IT and data managers are too afraid to pare down their data banks for fear that they might lose something precious in the process. Old data can be a valuable source of customer insight, and if a customer makes a SAR you must be sure you can respond to it within the timeframe required.
Consequently, databases are only getting larger, harder, more expensive and dangerous to manage.
The longer an IT manager abstains from deleting data, the more likely it is to go ‘dark’, evade protection and risk falling into the hands of a cybercriminal. The contract with the customer is broken and the organisation then faces the prospect of a GDPR fine, or worse, irrevocable reputational damage.
Taming the database
To ensure compliance and the safety of organisational data, a fresh approach to data management is needed. Data management can no longer be treated as a low priority, back office function – it’s now integral to compliance and corporate reputation.
Achieving progress will require change from within an organisation, both operational and cultural, but it also requires leadership. Yet whose responsibility is it to drive these efforts?
Considering the risks posed by an absence of data responsibility, it should absolutely come under the purview of the organisation’s DPO or chief data officer. They should take a leading role in guiding deletion strategy and resolving the data management challenges that frustrate it.
However, while the DPO usually holds the responsibility for protecting data, they too often lack the power to do much about it.
Despite their importance, the DPO is a relatively new position at many companies, often introduced in the lead up to or the aftermath of GDPR. While organisations have taken various approaches to the position, all too often the DPO will meet resistance from concerned stakeholders and be overruled by the board.
Empowering the DPO to seek out data abuse and oblige data responsibility is crucial for any organisation that is serious about deletion and protection. There are numerous, critical areas where the DPO can and should have an impact:
• Workforce education: Databases often fragment or bloat because employees lack strong guidelines – they’ll neglect to label data correctly or decide to save an extra copy just to be safe. The DPO can step in here, training employees in the correct use of metadata and discouraging unnecessary copying.
• Data management: The DPO should lead a programme of improving visibility through superior data management. They do this by encouraging the adoption of data management tools that help systems and employees see what data they have and where.
By bringing together and explaining their information, organisations can make informed decisions on what data to keep and what to delete.
• Automation advocacy: Once an organisation has complete visibility, the DPO can encourage the uptake of automation tools, allowing the company to roll out decisions and policies across its entire data estate. Data can be automatically classified on upload, reducing error and improving accuracy down the line.
To reduce risk, data can also be expired after a set period of time. This stops the buildup of unclassified and vulnerable dark data that’s prone to emerge over time.
Deletion is a vital part of data protection, but to do it effectively your employees need insight and confidence which comes with knowing what data you have. The DPO has an exciting opportunity to instil these, so long as they have real power and responsibility backing them up.
By encouraging data responsibility and implementing the latest data management tools, they will set the gold standard for protection and deletion.