- Rajesh Parthasarathy
Retaining Sensitive Data In The Context Of Data Privacy Laws
Founder and CEO of Mage Data — a leading provider of data security and data privacy solutions for global enterprises.
With rising incidents of data breaches and loss of data privacy, regulatory bodies have established privacy laws like the GDPR and CCPA to ensure organizations adopt standard measures and safeguards to protect the data privacy and security of individuals. Although individual laws have their nuances, the underlying philosophy of all privacy regulations is to set some standard rules pertaining to data security and at the same time empower individuals to make informed decisions regarding their personal data and how it is being used by organizations.
Privacy regulations mandate security measures like data retention periods and data security standards like encryption, as well as timelines to respond to data subject requests. However, in many cases, each country or region has its own regulatory body with its own set of standards and mandates, and therefore, organizations face a massive task in demonstrating compliance with multiple regulations simultaneously. That is why organizations should try to abide by the spirit of the law rather than the word of the law. This article summarizes a few of the conflicting scenarios that organizations face when trying to demonstrate compliance with the law.
The Disconnect Between Different Privacy Laws
Some laws require companies to store personal data, even if it no longer has a practical use. For example, the Family Educational Rights and Privacy Act (FERPA) is a primary educational privacy law in the U.S. It has no retention period, but state laws often need institutions to maintain records for a long time. For example, Washington state legislature mandates schools to store educational documents for at least 50 years from each student's enrollment date. These documents include names, addresses, social security numbers, attendance records, payment data and other details.
The Health Insurance Portability and Accountability Act (HIPAA) is a primary medical privacy law in the U.S. It does not have a mandatory retention period either. Rather, each state sets its requirements. For example, Washington state requires hospitals to preserve and maintain the medical records of adult patients for 10 years following the most recent patient discharge. So, even if specific privacy laws require organizations to delete sensitive data within 30 days, this may not always be possible.
Employee Documents And Business Records
Companies also hold legal obligations to maintain employee records. Mandates state that these records be retained for seven years after an employee leaves the company and for up to 10 years if the employee gets injured at work or files a claim against the company. Storing these documents beyond that period is also wise because they can help if a legal dispute arises. Tax returns should be kept for three to six years. Accounting records should be held for at least seven years. Likewise, bank statements need to be retained for seven years, and other documents like ownership records should be kept permanently.
Several systems also have operational limitations in modifying data records. For example, consider the case of any relational database that underpins most of the human capital management (HCM) or enterprise resource planning (ERP) systems. In a payroll process scenario, with employee details and pay data being maintained in separate tables, the payment amount goes into an accrual in accounting on the side of the general ledger. As soon as it is paid, the bank balance decreases, and the expenses increase.
Now, if any employee details are deleted, it results in orphaned data in the payroll records, ledgers, balance sheets and so on. If these orphaned records repeat for every application the employee interacted with, the number of affected records and applications becomes exponential. This massive problem can lead to a loss of application integrity and a cascade of errors.
Adherence To Data Subject Access Requests
Data subject access requests (DSARs) are an important part of emerging data privacy laws worldwide, with data subjects having fundamental rights regarding the use and access of their data. With the right of access, data subjects can request that organizations provide them with all personal information within their enterprise systems. With the right to erasure, data subjects can request that organizations delete any of their personal information within the organization's records.
Although organizations must respond and adhere to these requests, permanently deleting the records can lead to other issues. For example, what happens when a former employee exercises their right to erasure? What if their request includes data that needs to be stored for a few more years? Most data privacy laws, like the GDPR, state that if you must keep data under a different law, that law supersedes the GDPR. Retaining sensitive data in enterprise systems can lead to extra security and legal risks. That is where a data minimization approach could prove formidable.
The Importance Of Data Minimization
The data minimization approach dictates that sensitive data should not be stored beyond its useful life. In most cases, sensitive information should be anonymized or eliminated as soon as it is viable. Organizations are recommended to follow a systematic approach to substantially reduce their sensitive data footprint through the following steps:
• First, build an accurate, enterprise-wide understanding of sensitive data locations and classifications across data platforms—be it cloud data stores, on-premises or workstations—by performing a data discovery exercise. Understanding the type and location of sensitive data in enterprise systems is the first step to protecting and controlling access.
• Retire applications that are no longer needed and tokenize data that is past the retention period so that the data still exists but cannot be linked to a data subject.
• Anonymize sensitive data in nonproduction systems, effectively rendering it useless to potential threat actors.
This approach enables a much smaller footprint of data that falls under the purview of privacy laws for responding to DSAR mandates. Protecting the data from unwanted exposure is also easier with less data to secure.
With new data security and privacy laws passed each year, the data minimization approach can prove to be an effective strategy for organizations to significantly reduce the security and legal risks associated with carrying sensitive data.