As companies prepare for the updated General Data Protection Regulations (GDPR), many are focussed on ensuring the data they hold is secure. This is certainly an essential part of not only achieving compliance but also protecting against the recent wave of hacking and ransomware attacks. However, security isn’t the only aspect of data management that is being tightened up with the amended rules. Companies are also obliged to provide customers with information on where their data is stored and prove it has been fully deleted if requested.
These two aspects are related. You need to know where the data is before you can delete it, after all. This may not always be as straightforward as it sounds; if you have interlinked systems then you may not have a clear picture of where a customer’s data resides. For example, you may have someone’s details on a customer list and on a marketing list to send future promotions. You may also have versions of their data on an accounts system, or a customer service system if there has been a query or complaint, and you may even have their details sitting in a data analytics programme used to spot trends and opportunities within your company.
If you’re deleting customer data on request, you need to prove it has been fully wiped from every system; these new measures go beyond the “right to be forgotten” rules of the past. It is not enough to restore factory settings or wipe data by hitting the delete button. Companies will need to either destroy the storage device, which is neither a practical nor environmentally friendly option, or look at either data erasure or cryptographic erasure. Data erasure overwrites data across all sectors of the device; cryptographic erasure encrypts the data prior to deletion and then wipes the decryption key.
Preparing for the introduction of the GDPR means a complete audit of how and where your data is stored and how it will be managed in the future. This may seem like an additional administrative burden, but getting a full picture of your data has benefits beyond legal compliance. If you know where your data is held and how to access it securely, you can use company data to understand your market and customers and identify new opportunities. You can also protect against continuity concerns such as data loss and hacking. The GDPR requirements may seem stringent, but in many ways they’re simply enforcing best practice, which can help a business become a lot more competitive.