Marie Kondo your data

I was recently told a story about a company doing an internal audit and finding nearly 10 years worth of ID card scans on an employee’s computer. That’s a huge stash of real people’s identity documents just sitting on a laptop.

There was nothing nefarious going on, the employee just kept saving documents when needed and left them there “just in case”.

“Just in case” is an expensive sentence when it comes to data protection.

The GDPR clearly states that you can only keep personal data for as long as you need it and for the purpose you initially collected it for. After that, it has to be deleted or anonymised. “Just in case” isn’t in there.

Hoarding data seems to be the default nearly everywhere. Old CVs from job applicants rejected 3 years ago, customer data from closed accounts, bookings from before the pandemic,… It’s all still sitting there, in mailboxes, shared drives, CRMs. I see it all the time.

This hoarding isn’t harmless. Every bit of data you hold on to, you’re legally responsible for. If there’s a security incident, you’re not only going to have to explain why it happened, you’re also going to have to explain why you still have that data.

About 1 out of 6 GDPR fines are for keeping data longer than needed. For example: France’s CNIL fined Discord €800,000 for failing to define and respect a data retention period. There are plenty more of these on GDPRhub if you’re curious.

The solution isn’t complicated: decide how long you need to keep each type of data (and if you even need it in the first place), write that down, then actually follow through and do some cleaning at regular intervals.

Colin