One day I was having a conversation with my friend Takaya regarding holiday plans during the global pandemic. I figured since there’s nowhere to go, I might just try Marie Kondo’s life-changing magic of tidying up. Plus, the person I was speaking with is also a privacy fanatic like me, so the topic quickly evolved from tidying homes to tidying data.
The truth is the life-changing magic of tidying up does apply to privacy. Without stealing the fun of reading the book itself, here is why:
The goal of the declutter concept is to get rid of things you don’t need so that you can have more control. By 2025, it’s estimated that 463 exabytes of data will be created each day globally, and 188 million emails are sent every minute. Besides generating more data, organizations also collect and process a massive amount of it each day, and of course, personal data is an important part of that. Do we really need to collect all the data, to begin with? Personal data that’s unnecessarily collected ends up in our storage and takes up space, which costs a lot of money to maintain and protect. From a security perspective, we’re increasing our attack surface. Therefore, let’s limit our risk exposure by collecting only the minimum necessary personal data.
“Tidy by category … and you’re on the path to success”
You can’t protect what you don’t know. It’s good to inventory the massive data that you already have on hand, and like Marie suggests in her method, to work by category. Combat unstructured data with data classification. With a clear classification system in place, organizations can further assign the level of protection per category. Data classification also comes in handy when practicing the zero-trust concept these days, whether it’s on-premise or in the cloud (increasingly popular during the pandemic). Regardless of whether this move happens in phases or drag-and-drop, the protection for each classification goes with the data.
“The key is to pick up each object one at a time, and ask yourself quietly, does this spark joy? Joy is personal, so everyone will experience it differently…”
This is analogous to how there isn’t an international standard on data retention. Each country or even each industry has its own requirement on how long a certain type of data should be kept. While the IRS in the US requires keeping tax data for three years after filing, the EU GDPR regulation, on the other hand, does not specify a retention period. Instead, under article 5, it states that “for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”
“Cherish the items that bring you joy and let go of the rest with gratitude.”
Before a piece of data is collected, there’s a purpose attached to it, and the rest of the lifecycle of that personal data is served around that initial purpose. Once it no longer exists, it’s time to discard.
“Tidying is a marathon, not a sprint”
Privacy is not a one-time sprint for organizations just to check off the compliance box or to get certified. It’s a long-term practice that should be incorporated throughout daily operations and to enable an organization to be steady and successful. Also, like the KonMari Method, it “places great importance on being mindful, introspective and forward-looking.”
Good luck with your data tidying and let your data spark joy going forward!
About the author: ShanShan Pa is an experienced compliance officer with a demonstrated history of working in various industries and skilled in Data Privacy, Security, Enterprise Risk Management, Internal Audit and Business Process Improvement.