So Dropbox has admitted that a bug lead to deleted data mysteriously re-appearing in users’ folders. Zombie file apocalypse? Hardly. Surely it’s just a storm in a digital teacup?
Well, no. Deletion matters, and it will matter a lot more from May 2018. Oh yes, it’s another GDPR reference – you didn’t think I was going to let that one drop, did you? But the GDPR is only a part of the issue. Here are three reasons why you need to think harder about your data retention policies:
- Non-disclosure agreements
How many of these charming things do you sign in a typical year – either stand-alone or as part of contracts, proposals, RFPs, ITTs and all the other bureaucracy of modern business? If your world is anything like mine, it’s dozens a year. Every single one of them will include a provision that you delete any confidential information received from the other party, either at their request or when the purpose for which the information was provided has expired. The legal teeth behind these agreements are usually pretty sharp, including charming provisions like recognition that injunctive relief may not be sufficient – in other words, we’re not just going to sue you to make you delete it, we’re going to go for compensation too. So not reliably deleting files can land you in surprisingly hot water.
- Version control
Ever mistakenly quoted a price from last year’s catalogue, or submitted a draft report instead of the finished version? You’d be surprised how often this happens in organisations with poor data hygiene. If people keep multiple copies of documents – in personal folders, in draft folders, in their email as attachments – it can become very difficult to work out which one is the current or the authoritative version, especially if you weren’t directly involved in compiling the document in the first place. Having an effective data retention policy that requires the deletion of out-of-date material, and of draft versions once the final version has been approved, can help minimise the chances of this kind of mistake.
- Data protection
Here we go. From May 2018, data will have a lifespan. When you obtain the subject’s consent to store and process their data, you’ll have to tell them what you’re going to do with it and how long you’re going to keep it. Guess what? If you keep it beyond the duration you specified, that’ll be a breach – so having it resurface after deletion wouldn’t be especially helpful. Remember also that data subjects have the right to change their minds and request the deletion of any non-transactional data immediately – and the deletion or correction of anything they think is incorrect. Finally, if they formally ask you to tell them everything you hold about them, you have to comply – for free – and you have to be comprehensive. SO the less data you keep, the less risk there is – getting rid of data you no longer need is very much part of effective data protection.
So, if you don’t have a data retention policy, you’d best get on with writing one. If you do, you might want to check it’s actually being enforced, and if you use Dropbox you might want to have a look to see if some of the things you thought you’d safely disposed of have risen from the grave. Oooo. Spooky.
A bigger picture 