Deleting Data: A Guide

Of the many consumer rights established by the ever-expanding crop of data privacy legislation, the right to deletion is one of the ones you’ll see the most. Although different laws may have slightly different variations of the right, the general sentiment remains consistent – consumers have the right to have their personal data deleted from an organization’s databases upon request.

If your organization has been complying with the California Consumer Privacy Act (CCPA) – or its recently implemented expansion, the California Privacy Rights Act (CPRA) – you’ve likely had to field a fair share of deletion requests from consumers. However, the process of deleting consumer data is rarely as simple as clicking a button. If it is, you might be doing something wrong.

To reach the standard of privacy required for surefire compliance with these laws, your organization may want to consider implementing a data deletion program. Here’s what you need to know about creating a robust deletion program and what compliance benefits you can expect from one.

Storage Limitation: Data Deletion Is Much More Than Deletion Requests

While you likely already have a program set up to field consumer data rights requests, many laws require you to go a step further and adhere to a principle of “storage limitation” – only store data that is necessary. Under this principle, you should be deleting consumer data when its storage becomes unnecessary or when the data has served its original purpose.

Of course, this presents a challenge for data controllers. How do you know when data is no longer necessary to store? How can you justify the necessity of storing consumer data or the validity of its purpose?

The answer depends on the law. The EU’s General Data Privacy Regulation (GDPR) maintains that controllers should keep a record of all their processing activity and this record must include “where possible, the envisaged time limits for erasure of the different categories of data.” In a sense, this makes the job easier. When collecting data, you should already be thinking about deleting it.

Documentation Is More Important Than Ever

It can be useful to categorize data by purpose and map out a reasonable timeline for the deletion of each category of data depending on its purpose. For example, if the purpose of collecting a consumer’s credit card information is to complete a transaction, plan to delete the information once the transaction is completed. However, if the consumer chooses to save their credit card number to speed up future purchases, then you have a justifiable reason to hold onto the data.

Of course, the end goal is to show that you did your due diligence if you are faced with a compliance issue. Record all your data activity and make sure those records include proof that you adhered to the principle of storage limitation. That way regulators will have a clear understanding of why you store the data you do.

Before you can document your data activity, you need to update your data inventories so they are as detailed and easy to use as possible. Knowing what data you have is one thing, but compliance requirements are now calling for you to know why you have it and what you plan to do with it.

Transparency Is Key to Deletion

Deletion is much like most other data privacy compliance tasks in that transparency remains firmly as its core. The notice you give your consumers upon collection isn’t just a formality; it’s something you need to strictly follow. Within that notice, you need to inform consumers what you plan to do with their data including when you plan to delete it.

Article 13 of GDPR sets this in stone, reading “the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: 1) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.”

The way your organization will handle this depends on the circumstances of deletion. If you plan to delete the data on a set date or period after its been collected, tell your consumers. If the date of deletion depends on certain factors, explain those factors to consumers to at least give them an idea of when their data will be deleted.

Rethinking Retention Periods

CPRA contains a similar requirement maintaining that organizations must inform consumers how long they plan to keep each category of their data. If that is not possible, they must inform consumers as to the “criteria used to determine such period.”

If your organization is accustomed to complying with CCPA, this requirement might seem new to you. Previously, the only information organizations needed to include in the privacy notice were the categories of data collected, the purposes of collection and any third parties with which the data is shared.

Currently, it’s unclear whether the CPRA requirement would accept a vague statement declaring that you only keep data as long as necessary. It’s possible that you may need to tweak your privacy notice to include a specific and detailed retention period.

Up until now, retention schedules have usually been internal, allowing organizations to set loose deadlines that they can adjust if they deem necessary. However, if you include a retention schedule on a privacy notice, you are formally declaring your commitment to adhere to it. Not only does this mean you must follow your retention schedule; you must also carefully keep track of the retention schedules you set for different categories of data.

You may already have retention schedules for your data, but review these to make sure that they are reasonable and easy-to-follow. Keeping tabs on such small details is something best suited for a formal deletion program. That way you can clearly delegate tasks and responsibilities, making sure that no compliance obstacle slips by unnoticed.

Solidify and Document Your Data Destruction Process

Any compliance plan will quickly fall apart without organization and communication. Of course, this starts from the bottom up; before you can even think about properly disposing of data, you need to have a systematic way of storing it. This is best achieved by publishing an information lifecycle management policy, so employees can easily brush up on their responsibilities during the collection, storage, use, sharing and deletion of data.

When it comes to data disposal, you need to figure out a systematic process for your organization to rely on. Regardless of what method you use, this process should always involve auditable documentation, proving that the responsible employees know when to delete data and how to confirm that the data has been deleted.

Of course, “deletion” might not be the right vocabulary to use in these circumstances, as there is a difference between deleting data and destroying it. Data that is deleted in a conventional way – such as by being put in your computers’ or cloud services trash – leaves it in a form where it can reappear under certain circumstances. This creates a major liability for organizations should attackers somehow find a way to get their hands on it.

Data destruction is a much more thorough process that starts with collection. When collecting data, make sure your employees constantly keep track of where it is stored. No copy of any consumer data should be casually put somewhere that employees can forget about. That way when it’s time to delete, you can delete it from every possible location – digital or physical.

This is particularly relevant when data is stored on end-of-life hardware. Just because the computer died doesn’t mean the data died with it. Before you say goodbye to a piece of hardware, make sure it is thoroughly scrubbed of any consumer data. A good way to do this is to properly destroy or dispose of any hardware on which the data was kept. This can involve shredding, crushing, burning or removing its magnetic drives.