Many big organisations in India are not wholly prepared to meet the challenges around data erasure, is what a survey on ‘Data Destruction’ by Deloitte-Blancco shows. According to the report, “larger organisations” and “business to consumer (B2C) organisations” are not as prepared and ready to deal with the issue, compared to smaller or business to business (B2B) organisations.
“Organisations very often do not know where the data is. The fact that they are not able to trace it is the main problem. Discovery and inventory programs can help and solve this problem,” Manish Sehgal, Partner, Deloitte India told indianexpress.com.
For organisations and companies in India, the issue of knowing where they keep user data could be very important, especially once the new Personal Data Protection Bill (2019) is eventually passed and becomes law. The bill is currently being examined by a Joint Parliamentary Committee and entails a clause which will give citizens the right to demand erasure of personal data.
The existing clause in the bill reads as follows: “The erasure of personal data, which is no longer necessary for the purpose for which it was processed.” If the PDP bill passes with the above clause, this would mean that organisations in India would have to be prepared to handle requests for data erasure on behalf of their customers.
But, as Sehgal notes, if companies are not aware of where the data is being stored, erasing it will become difficult.
The survey showed 84 per cent of large organisations (with more than 10,000 employees) had a defined data retention policy as compared to 57 per cent of smaller organisations (with 500-1,000 employees). But it also means that nearly all large organisations are collecting personal or sensitive data or both, which would then be subject to data retention and destruction requirements.
According to the report, large organisations were significantly more unaware (21 per cent) about data sanitisation and erasure practices compared to smaller organisations.
However, Sehgal notes that this problem is not just about the size of the organisations, though he adds that such issues get more complicated in larger organisations, which tend to have more complex structures and they may have relatively more difficulty in executing such requests.
That does not, however, mean things will automatically be easy for small organisations. In his view, when organisations do not have basic data hygiene embedded in their DNA, they will face problems irrespective of size. “They should ideally follow strong data hygiene, which can help them classify data at the very beginning and help maintain records,” he added. This can help them most when there is a request for erasure.
“Data retention is in itself a big question. Companies need to understand that they can’t let data become a liability,” Sehgal added.
Perhaps one of the biggest challenges to the data destruction is around the processes being undertaken. Nearly 42 per cent of large organisations had data destruction being handled manually, which the survey notes is an inefficient process and prone to error.
Many large organisations don’t often have the right technology to execute data sanitisation correctly, according to the report.
“There are solutions in the market to help with data erasure, disposal. From a sanitisation perspective, it is all about ensuring that traceability is not there when data is erased,” Sehgal explained, adding that organisations have to have a strategic way of looking at data disposal and what methods they want to follow.
Only 30 per cent of the organisations were adopting automated erasure techniques for data on completion of the retention period, while 63 percent relied on a manual data destruction process.
The survey also noted that only 32 per cent of organisations produced certification of data removal. This is another problem as it would appear that most organisations have not understood the need for maintaining proof of data destruction, according to the report.
Deloitte’s report also showed that only 43 per cent of survey respondents had appointed a Data Protection Officer or DPO, which is another requirement in the PDP bill. But 18 per cent of organisations intend to appoint a DPO in the next six months. Regarding the requirements of a Data Protection Officer, Sehgal said that this will pose a challenge to companies as well. This is because finding individuals who can fulfil these requirements will not be that easy.
In his view, there are not enough individuals who can fulfil this demand as the necessary education around this topic is still needed in the country and it will take time.