Concerns about data cleansing and keeping records up to date will be the next big growth area in data protection.
According to former Information Commissioner Richard Thomas, now strategy adviser for the Centre for Information Policy Leadership (CIPL) at law firm Hunton & Williams, a data protection requirement is that you take appropriate measures to keep your data secure. The last few years have seen public outcry at data losses from sloppy practices, but he predicted that the next big controversy will be over inadequate data cleansing.
Thomas stated that the challenge for companies is ‘not only to be confidential and secure, but also up to date and accurate'. Thomas said: “As the cost of storage has plummeted people are keeping more and more data. This increases the risk of it being out of date, inaccurate, or no longer relevant. That is going to cause problems for those who are putting data cleansing to one side.”
He argued that companies should create records management policies covering how long they keep data for. “If you are an employer, how long do you keep employees' records on your system? In the old days it was shelf space, and then it was disc space, but now it is so cheap you could keep it forever,” said Thomas.
“I predict that the problems will escalate dramatically over the next few years. There will be scandals where people will suffer real harm from inaccurate data. Companies are not thinking through the issues very well and often have not got good policies in place – How long do we keep customer data? How long do we keep staff data? How long do we keep supplier data? And how do we make sure it is all kept up to date? And if we are still using it, how do we know it is still accurate?”
Bridget Treacy, partner at Hunton & Williams and executive member of CIPL commented that the issues are even more complex when you need to look at different jurisdictions. Treacy said: “We advise a number of clients on their data retention programmes and you have to look at the types of data that they hold, why they need the information, and the relevant laws that apply to their activities in each jurisdiction.
“We then work with clients to create a matrix summarising the different retention periods that might apply. Clients then decide what is the minimum amount of time they need to keep data for in order to comply with the majority of laws. This is a complex process.”
Thomas claimed that this is ‘a good example of how good data protection requirements make companies think. There are no black and white answers, but you need to balance competing tensions - with some laws saying you must keep data for a minimum amount of time, while data protection says do not go beyond a maximum. You have to justify you approach and find what is right for each type of data.'
“Don't collect it without thinking, don't keep it without thinking and make sure you manage your data actively,” said Thomas.