The Data Use Retention and Disposal Episode
Transcript
-
Introduction to the Guest and Topic:
Host Ally Krings welcomes Mark Hinely, Vice President of Privacy Assurance Services at KirkpatrickPrice. The episode focuses on the critical components of data governance: data use, retention, and disposal. Mark shares his background as an attorney and his journey into cybersecurity, emphasizing the ethical responsibility organizations have to protect personal data.
-
What is Data Use?:
Data use refers to any action taken with personal information—accessing, storing, transmitting, or combining it. Whether it’s signing up for a library card, receiving healthcare, or making a purchase, personal data is constantly being processed. GDPR refers to this as “data processing activity,” and it encompasses virtually every interaction involving personal information.
-
What is Data Retention and Disposal?:
-
Retention is the decision of how long to keep data.
-
Disposal involves securely removing data once it’s no longer needed.
Mark explains that while physical disposal (like shredding paper) is straightforward, digital disposal is more complex. Simply deleting an app doesn’t mean your data is gone. Organizations often retain data unless explicitly asked to delete it.
-
- Why Does Disposal Matter?:Poor disposal practices can lead to serious consequences. Mark shares examples:
- 23andMe Bankruptcy: Sensitive DNA data was put up for sale during bankruptcy proceedings.
- Deidentification Risks: If data isn’t thoroughly anonymized, it can be reassembled and traced back to individuals.
- Legal Holds: In litigation, data must be preserved exactly as it was, creating exceptions to standard retention policies.
-
How Can Individuals Protect Their Data?:
-
Request Deletion: Users should actively ask companies to delete their data, especially if no longer using the service.
-
Set Personal Retention Policies: Mark recommends individuals do annual “data purges” on their phones and devices.
-
Be Mindful of Consent: Understand what you’re agreeing to when sharing data—especially with apps and websites.
-
-
How Can Organizations Ensure Compliance?:
- Automated Deletion Tools: Organizations can use scripts and functions to identify and delete expired data.
- Retention Policies: Data should only be kept as long as necessary. Laws, contracts, and business processes can help define appropriate retention periods.
- Access Controls: Sensitive data should be restricted to only those who need it, especially during litigation holds.
- The Story That Changed Everything:
Mark emphasizes that data misuse doesn’t always involve a breach. Examples include:- Using data for purposes beyond original consent (e.g., marketing).
- Sharing data with third parties or subsidiaries without permission.
- Collecting public data without notifying the individual.
- Transferring data internationally without proper safeguards.
He shares real-world cases, including LinkedIn being fined €310 million for unauthorized behavioral analysis and a Belgian insurance company fined for using healthcare data in employee training.
- Final Thoughts:
Mark encourages organizations and individuals to treat personal data like borrowed property—only use it for the agreed-upon purpose. He highlights the importance of transparency, consent, and ethical responsibility in data handling. The episode closes with a reminder to visit kirkpatrickprice.com/mpodcast to explore more cybersecurity topics and submit questions.
Notes
- Show notes: The Audit Quality Episode
KirkpatrickPrice is on a mission to help 10,000 people elevate the standards for cybersecurity and compliance. In this episode, Vice President of Privacy Assurance Services, Mark Hinely shares the ins and outs of data use, retention and disposal. Join Our Cybersecurity Mission: https://www.linkedin.com/showcase/our-cybersecurity-mission
What is “Personal Data”: https://kirkpatrickprice.com/blog/what-is-gdpr-personal-data-and-who-is-a-gdpr-data-subject/
Only have a minute? Data Use, Retention and Disposal: https://www.youtube.com/watch?v=94lxoxpVy4k
Ensure Proper Disposal and Destruction: https://www.youtube.com/watch?v=i-2t2wtOHGk
Data Retention Policy: https://www.youtube.com/watch?v=lARJcjKaSU8
FREE downloadable resource: https://kirkpatrickprice.com/white-papers/privacy-compliance-101/
We believe if you are going to do an audit, it should be worth it. At KirkpatrickPrice, you’ll have a partner guide you from audit readiness to final report so you get the assurance you deserve. Ready to learn about how we can help your business to meet your challenging security and compliance goals? Connect with an expert.
Send a Question
Do you have a question for our podcast? Send it to us here.
