Archiving personal data and its regulatory implications
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
There is a saying in data protection speak, “don’t keep what you don’t need.” As simple as that may sound, many companies keep what they don’t need thereby having a huge set of toxic data. Toxic data is those data assets that company save with the intention of using it again. But this springs dangers and create room for data breaches.
Talk Talk, a British telecommunications company, fell for this trap. They archived some data sets digitally without creating clear cut security measures. After the data was leaked, it affected both old customers and new customers. This singular data breach brought reputational damage on the company and plummeted their share price.
The big question is why do companies like to archive personal data? Well, the first thing is that personal data is gold. It goes without saying that companies who have amassed a lot of data in various business functions can use this data to enhance their business offerings.
Plus, in the world of big data, companies believe that the bigger the data the better they are. I argue that keeping any sort of data in perpetuity is quite a business risk and needs to be addressed. The information owner should put these risks into consideration and come up with the best way to resolve such risks.
Some stakeholders ask what the best digital archiving methodologies is. Well, to me, the secure and best way is deleting data that you don’t have the need for. It’s like holding onto keeping flames in the house with the hope that it would become useful in the future.
That’s setting oneself to get burnt in the near future. If really, companies want to keep datasets as is, then they should consider taking out the necessary insurance to cover the risks around those information assets.
Now, if personal data has to be archived, there are regulatory implications. There are two know methodologies where companies safely archive data. They are namely: anonymisation and pseudonymisation.
Anonymised personal data means that every identifier have been irreversibly removed and data subjects are no longer identifiable. When this is carried out there fully, the data becomes hard to process.
In most cases, companies use this data for research and analytical purposes. However, there have been cases where companies have found out that this methodology stifle attempts to process the data for analytical purpose, and which leads to pseudonymisation.
With pseudonymisation, companies can remove certain identifiers or replace identifiers with other markers so that it cannot easily be traceable for anyone.
For example, a name like “Lekan”, can be pseudonymised into “nalek”. This way it can be used for various functions like research, analysis, and other functions that the business might need those data set for.
Archieving personal data has a role to play in the day-to-day management of business functions. However, a misstep can bring a company down. The onus, therefore, is on the companies to consult with their information security manager to tease out the best approach for archiving personal data