As the GDPR deadline creeps up its worth reminding ourselves of the difference between data cleansing and data erasure because getting this wrong could be an expensive mistake.
Data cleansing is of course a catch-all term for making sure that your data is up to date. Most companies have very poor housekeeping when it comes to having pristine data. Primarily this is because it is an onerous and constant task to make sure your data is a) serving your needs on a commercial level, and b) meeting regulatory requirements. The regulatory environment is going to make compliance harder in 2018 as the GDPR requirements come into force.
The process of maintaining commercially relevant data should be re-visited regularly to ensure that the data is being used optimally. Whether that is ensuring that the right marketing messages are being delivered, or that customers are getting relevant updates, having these processes of reviewing, standardising, migrating and enriching data should be rock solid. Once there is a clear view of the data being held it can be cleansed and regulations can be followed. For example the new landscape might see a tranche of information requested from individuals so having a handle on data will make compliance easier.
Individuals’ rights will mean they can insist on permanently erasing data. There are some best practices for data erasure which are worth reminding yourself on so that this can be implemented and you can pass any audits. This advice comes from the International Data Sanitization Consortium (IDSC).
This involved destroying physical data storage devices by shredding them or degaussing them, which means wiping them with powerful magnets.
You have to be careful to use erasure methods which are compliant and this will encrypt personal data which makes it impossible to recover.
These processes overwrite data on storage devices which means it can’t be recovered. The overwriting process must be verified and this should produce a certificate of erasure.
There are many data erasure methods which will not pass an audit. These include reformatting disk drives, data reformatting, restoring to factory settings or file shredding. You can read about how to sanitise data in more detail here (https://www.datasanitization.org/data-sanitization-terminology/#incomplete).
To make sure your organisation has streamlined processes start with the commercial need for the data: ensure your data is serving your needs, and the processes in place update it regularly. From here you should then stress test your process for audits and requests for deletion. Make sure that anything that could be asked of you can be completed and recorded in a compliant way.
Going one step further you should run regular tests to make sure that the system is working well – the vast majority of data sets are not clean and wouldn’t pass audits that are around the corner. So take the time now to ensure that your data is clean and erasure can be done simply.