How long is too long for data retention?
After 20 years you’d think somebody would have found a way to simplify the language and bring a little clarity to what happens to your data once it enters the digital ether. But as organizations have realized they could monetize data, the ToS agreements have become even more ridiculous.
Have you ever actually read any of the small print (or even the large print) of the terms of service you agree to when you sign up for an online community or app?
Unless you’re part of the legal team that drafted that agreement in the first place it’s more likely you simply clicked “I have read and agree to the Terms” and started uploading pictures, comments, and other data.
But your data is important. Eyes may be the window to your soul, but data is the door to your wallet. So how your data is treated shouldn’t be an afterthought.
Terms of Service; Didn’t Read is a great little site that grades some of the biggest players in the online world on how they store and treat data.
Here are a few points from Google:
- Google keeps your searches and other identifiable user information for an undefined period of time
- Google can use your content for all their existing and future services
- This service tracks you on other websites
- Google can share your personal information with other parties
Google is only a C-.
So how long should your data be stored? In Canada, companies are bound by the The Personal Information Protection and Electronic Documents Act (PIPEDA). This act is based on ten fair information principles. One of these states that “Personal information shall be retained only as long as necessary.”
So what does necessary mean? For companies like Google and others it means an undefined period of time. The internet is a Jurassic Park of your personal history trapped in digital amber — just waiting to be accessed and used for commercial purposes. And as I mentioned in the last blog, your data isn’t as secure as you might think as financial incentives drive hackers and other bad actors to develop tools to get access.
What should companies do to protect their client information? At Prime Data, handling mostly data used for variable data printing, we have a policy that dictates client data is only stored for 60 days before it is purged from our systems. This can also be customized based on each client’s need; allowing for re-use of some files and referral back for purposes such as suppression of a record that was used in a previous communication campaign. But even then, it’s ideal if the only data retained is a customer ID number instead of personal information.
Our definition of “as long as necessary” protects the privacy and integrity of our client’s data.
So here are the questions you need to be asking your vendor:
- How long do they store your data and why?
- Is it ever an attachment in an email and stored in your history?
- Is it on a server? If so, how are they guarding against hackers?
- Does your data even need to be on a server at all?
The important thing to remember is that it doesn’t matter how large or small a business is, there is always the possibility of a breach. So it’s important that all businesses have in place procedures to purge data as soon as it’s no longer relevant to a project. This is the only way to absolutely guarantee the security of your clients’ private data over the long term.
If you want to know more about the steps we take to protect our clients please give me a call.
Steve Falk
289.802.0584