5 Easy Steps to Boost your IT security

Welcome to Penneo’s newsletter, where you’ll find actionable advice to tackle the challenges faced by your business when it comes to data security & regulatory compliance.?

Today’s read is ~5 minutes.

In the last newsletter episode, we focused on the consequences of data breaches.?

If sensitive data fall into unintended hands, a failure to preserve their confidentiality has occurred. And such a failure usually cannot be remedied. Once a secret has been revealed, there’s no way to un-reveal it, which can cause substantial financial losses and affect an organization’s reputation for years.?

In a world that increasingly functions through blockchain, designed to record everything permanently, how can a person protect their privacy??

And in a time when privacy breaches are perhaps the most severe and dangerous security issues, how can businesses ensure they’re handling data as the law requires?

Don’t make yourself an easy target

Your computers may be holding personally identifiable information (PII) of former employees and ex-customers, along with confidential financial records. About a third of the data you store is likely redundant, obsolete, or trivial.?

How foolish would it be to fail to comply when you didn’t even need the lost data in the first place?

Keeping data beyond its useful life poses a risk itself. Acknowledging how critical it is to get rid of it is a good start, provided it’s done the right way.

Trying to right a wrong

Many mistakenly believe that deleting files will remove them for good from the hard drive, leaving no trace. Well, the bad news is: that's not how it works.?

Emptying the recycle bin does not prevent files from being retrieved. It simply makes them invisible to the operating system that doesn't know how to find them, while their content is still recoverable until they are overwritten or destroyed.?

If you don’t handle data correctly, your information could be at risk of being accessed by unauthorized people or stolen.?

The truth is that such a threat could be easily avoided with safer data deletion practices. Besides, implementing an effective ad hoc procedure is required by law.

GDPR to the rescue!

To increase people’s control over what companies can do with their data, the GDPR regulated the “right to be forgotten” that enables people to get a say about the retention of personal information collected on them.?

However, the rightful request from a person must be weighed against - for example - the potential need for information in the event of future legal claims or the legal obligation of retaining a record after the end of a business relationship.?

In other words, it’s up to the companies to find a workable compromise between a person’s right to have their data erased and the business's needs and duties.?

Time to update your data retention policy?

When none of these situations occurs, two GDPR principles must be kept in mind in setting the retention periods:

• Data minimization: the less data you have, the less you have to protect. The collection must be limited to what is strictly necessary to accomplish specified and legitimate purposes.
• Storage limitation: don’t keep data for longer than you need it. Personal data must be stored in a form that permits the identification of subjects for no longer than is necessary for the agreed purposes.

Our recommendations

Small steps can be a total game-changer for your IT security:

1. Identify and localize all personal information your company holds to classify data and define deletion rules per category.

2. Inform data subjects about how long their data will be stored, how consent can be withdrawn, what rights they can exercise, and how.

3. Keep the personal data for only as long as necessary.?

What does that mean in practice, though? Well, in short:

• If the data refers to employees, you only need it as long as the employment relationship and related legal obligations last.?
• If it belongs to customers, you should not keep it beyond the term of the business relationship and related legal obligations - unless otherwise required by law. For example, for firms in AML-regulated industries, there is a retention period set by law to 5 years after the end of the business relationship.??

4. Keep a record of the retention periods and their basis.

5. When data is no longer necessary, make sure to actually delete every single piece of information relating to a person – on every file, folder, register, database, mailing list, and any backup server.

Bonus tip: When outsourcing some of your business processes to service providers (for example, your CRM or ERP software), you’re also sub-contracting the processing of personal data. And you will need to rely on those same service providers for the complete and compliant deletion of the data stored in their databases.?

Therefore, one last but crucial piece of advice is to entrust compliant service providers that have clear data policies in place and give you visibility and transparency over their data processing and disposal procedures.?

Better be safe than sorry

The internet is today the frontline of an ongoing battle between companies and an unseen enemy. Firms of all sizes are in their crosshairs. Every company is a target: no matter its size, function, or annual revenue - no region or industry is immune.?

The bottom line is that just having a presence online makes you a potential cybercrime target.?

Putting an adequate data deletion policy in place is a great defense, as well as a key aspect of a forward-thinking data management strategy. Not to mention the benefits in terms of storage optimization and overall compliance.?

Long story short: There’s plenty of human-produced data you don’t get any value from, and keeping it is only potentially harmful. What’s more, the information you don’t hold doesn’t need to be checked for compliance, disclosed in a GDPR subject access request, or apologized for after a data loss.

Need some help? Check out our 3-step process to develop an effective data retention policy for your business.

Thanks for reading!

If you're interested in reading more about how to ensure compliance in your business, check out Penneo’s website, and follow us by subscribing to our email newsletter !

Subscribe and browse our previous newsletters and articles here .