Imagine that your business holds personal data on an individual that is no longer being – or has never been – used. For example, the CV of an unsuccessful recruit, including their address and contact details.
This is referred to as orphaned data, and under the GDPR regime businesses are only meant to retain data that is ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’.
That means, even if another relevant job opening might come up later on, you should not hang onto that CV.
‘Why is it there?’
Overall, companies cannot keep information they do not need to process the requests the customer has asked them to process. The struggle is to make sure they know exactly why they need a particular piece of information, or to be absolutely certain that they don’t need a particular piece of information before they erase it.
In order to manage this dilemma and not fall foul of GDPR compliance, businesses need to be able to say why they hold any piece of personal data. ‘Why is it there?’ has to be the first question asked of any personal information.
More importantly, their customers need to understand why as well. Companies still have obligations to those individuals and stakeholders to effectively use the personal data they retain – but they also have to delete anything that is unattached.
The first step, of course, is to understand exactly what businesses hold in term of orphaned data so that they can better understand what they do and don’t need to erase.
The role of AI
This is an area of GDPR where artificial intelligence has a key role to play – and why trust-hub has created the Privacy Lens software to build a more effective system of Personal Data Governance.
Privacy Lens uses AI to highlight any items of personal information that are being held by an organisation but that are not being used for a specified purpose. Finding any such items makes it easier to comply with GDPR’s stringent data minimisation requirements.
Personal data that is flagged as unused by Privacy Lens means that either the organisation has not yet documented all of its processes, or it is holding data for which it has no use and so should delete it. In either case, it highlights the need for follow-up action.
This is vital because the fundamental point of GDPR is transformation. Trust is fast becoming the new currency of the business world and companies can lose market capitalisation if orphaned data is improperly managed.
Streamlining a complex process
With so much personal data held by businesses, a better way to identify and manage what is and is not orphaned data is vitally important. To find out more about Privacy Lens and what trust-hub offers to organisations to help them, please click here or contact us at +44 (0)20 3582 5055.