Sign in / up

Reply to post:

So the suits swanned off to GDPR events leaving you at the coalface? It's really more IT's problem

m0rt
Reply Icon

No.

This has been an issue, regardless of GDPR and the ICO recognise that this isn't always straightforward.

https://ico.org.uk/media/for-organisations/documents/1475/deleting_personal_data.pdf

See page 4.

So, outside of data kept for regulartory purposes which you have no choice over, and your normal backup policies (you do delete old backups, don't you? You don't keep them forever, do you?).

So - scenario: You go back to back from yesterday beause something nasty happened. Yesterday after the backup was taken a set of records were removed. As long as you know, somehow, that theses were removed you can reapply the deletion. So the deletion process will be need to stay *live* for as long as you feasibly keep backups that may be used to restore from for your day to day running.

It most cases, I would argue this is a week or so for most with Daily changing data. If it is a month, then you will need to keep the deletion process longer than that to ensure you can meet your duty. As long as *this is documented* the ICO should see that as endeavouring to comply with the spirit.

If you ended up using a backup from a while back, which may be the case in some scenarios, and some data was resurrected that shouldn't be, and this got out and the sh1t hit the fan, then it comes down to why, the impact, what procedures were in place etc.

There is no black and white answer to a lot of scenarios. You can't help seeing an IP address. And you can't know if this is a piece of Personal Identifiable Information (eg, fixed IP and you have the name and address of this person) or not (temp IP or company firewall). You can't dump this (if a breach you will need to go over your logs) and you can't anonymise it in most cases, or even be sensible to do so. So it comes down to what you do, how you document, don't generally piss take and *show evidence* of what and why you do.

Personal data should be sacrosanct. It is about time it is treated as such. By both the users of that data, and the general public who are, for the most part, pretty clueless. That isn't their fault mostly, it is just that industry has beguiled them with promises, free stuff and The Shiny™

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon