GDPR rules are now in full swing. It’s an organisation’s responsibility to look after all the information they store, no matter how old it might be. That begs the question, how can you ensure your legacy data is compliant?
In this blog, we’ll run through what legacy data is, how long you should keep it, and the different approaches you can take to ensure its compliance.
What is legacy data?
Legacy data is all the data stored by an organisation. Many businesses keep tens or hundreds of terabytes of data, the equivalent of millions of files. Ideally this data would be held on cloud-based systems with proper data management tools. However, many organisations often store new files in the cloud while old files are stored in legacy file server farms on-premise or are lifted and shifted into the cloud ‘as is’, without any data analysis or remediation. This is a ticking compliance timebomb.
The owner or responsible person overseeing legacy data is often unclear, meaning it’s possible that nobody knows the relevance or importance of the information – or even how to access it. All organisations should now have GDPR policies in place which include a retention policy, retention schedule and a data or information asset register.
A retention policy is a top level document that defines roles and responsibilities and the businesses approach to retention and which laws apply. A retention schedule governs how long a document should be kept for, why and how it should be disposed of, and how to identify different document types.
And an information asset register is a list of what data is held, why it’s held, and who in the business owns it.
Legacy data can often be swept under the rug and forgotten if these aren’t implemented correctly. Ignorance, as this would be, would breach GDPR legislation and mean legacy data isn’t compliant.
GDPR laws and legacy data
By now, all businesses should be familiar with GDPR legislation. All UK organisations (and industries across the EU, too) are required, by law, only to collect relevant personal and financial data and store it for ‘no longer than is necessary’. They must always have a data retention policy that all staff, customers and stakeholders are aware of.
Businesses can collect data only with the individual’s express consent, or where required to comply with the law.
It’s illegal to store any information if you don’t have this. It can also be used for only its original purpose, whatever that is. For example, you can’t take someone’s address for shipping an item and then use it to send spam mail to their door, as while their consent for you to ship the parcel is implied by their placing the order, it’s not explicit consent for receiving direct mail from you.
As you’ll be aware, you’re legally required to keep specific data for defined lengths of time. Depending on your business’s classification and purchases and activities, you might be required to hold financial records for five, six, seven or ten years. Other types must be kept only for a ‘reasonable’ length, although this isn’t yet defined in law. Public bodies must hold certain data for a set length of time before handing it over to the National Archives.
As a business, it’s your responsibility to hold, protect and eventually erase all legacy data according to your retention schedule, which should cover broad range of scenarios and data types.
The cost of a GDPR breach can be devastating, both financially and reputationally. Under GDPR, organisations can be fined up to four per cent of their global annual revenue or €20 million (whichever is greater), for breaching the regulations. This is a huge increase on the previous maximum fine of £500,000 in the UK under previous data protection laws.
Organisations that suffer a data breach must also notify the relevant supervisory authority (in the UK, it’s the Information Commissioner’s Office) within 72 hours of becoming aware of the breach. If the breach is likely to result in a risk to people’s rights and freedoms, then they must also inform those affected. Failing to do so can result in another fine of up to €10 million or 2% of global annual revenue. Simply put, it’s not worth the risk.
What should you do to ensure your legacy data is compliant?
The legitimacy of your continued retention of legacy data is defined by whether you are holding that data in compliance with the requirements of your retention policy and schedule. The retention policy and associated schedule should be defined based on the requirements of the law (such as how long you hold financial records, pre-employment staff checks, personal data etc), the reason you hold the data and whether that reason is still valid, what you told the data subject about how long you would keep data for when you collected it, and the general business requirements around any particular data set. Any legal requirements should be reflected within the policy or schedule.
As such, you have some freedom when deciding what to keep and what to erase. However, it must still be ‘reasonable’, logically thought-out, and acted upon when the time comes. Any breach of your own policy will leave you vulnerable to lawsuits, insurance companies refusing to pay out, and even ICO fines or potential criminal charges.
It isn’t easy to narrow down what to delete and keep at the beginning. Content scanning tools can look for personal information such as names, addresses, identification, contact details, and so on, but they’ll miss business-critical information and financial details. You also can’t really just delete everything older than ‘X’ years old, since you risk deleting things that should be kept and not deleting relatively new files that you no longer need. You also can’t just keep information forever due to GDPR legislation (and business ethics).
Realistically, your best option is the most difficult.
You’ll need to identify information you hold (in your information asset register) and how long it should be kept for (in your retention schedule), then find a means by which to ensure that you keep data for only as long as is defined in the retention schedule.
As legacy data is often held in file shares, and Microsoft has no built-in means of scanning and analysing the data to categorise it or to, once categorised, retain it for the required period then delete it, a separate solution is required.
Essentially there are two options. Migrating everything to SharePoint, with its built-in information lifecycle management tools, is your best option. If you don’t use a Microsoft system, don’t want to use SharePoint, or need to leave your data on file shares, you could try alternatives from EMC Dell, IBM or Veritas.
Small businesses should get away with migrating everything into SharePoint before applying retention labels to selected SharePoint libraries. Larger organisations, however, will likely need to adopt specific approaches, utilising different tools and criteria.
How AMDH Services can help with legacy data compliance
AMDH Services Limited is an independent IT consultancy based in the East Midlands. We’ve made it our mission to partner with small businesses, public sector organisations, charities and churches as we encourage everyone to invest in digital transformation. We firmly believe it’s the most crucial step you can take to promote growth and future-proof yourself.
With decades of experience, we’ll join you in creating and implementing the most effective ways to handle your legacy data. We’ll help you build a cloud-based system, recommend the best Microsoft products to use (SharePoint) and provide instruction on how best to use them.
Could your organisation use a helping hand when it comes to legacy data? Contact us through the below form, email (info@amdhservicesltd.com), or phone (01332 322 588) for an obligation-free, friendly chat. We look forward to your message!
