Last week, one of the largest consumer privacy organizations, the Electronic Frontier Foundation, used an op-ed in the New York Times to criticize workspace platform Slack for its data retention policies.
The main issue raised by the article was that Slack retains the messages sent over the platform forever. Though users have the option to delete them from Slack’s servers, the free plans that the company offers are limited to 10,000 visible messages. Users of the free service, therefore, are unable to delete messages in excess of this limit.
Slack’s response was that retaining these messages is a necessary part of their business model: if and when users upgrade to a paid plan, messages beyond the 10,000 limit re-appear.
It’s also worth noting that Slack does not appear to be in breach of any applicable regulations. Even the GDPR does not contain a specific period after which user data should be deleted, except that this should be done as soon as possible.
Nonetheless, the complaint drew a lot of negative press attention for Slack. It’s therefore worth thinking about what the company could have done better when it comes to data retention, and what other companies can learn from the debacle.
When it comes to data retention policy, there are three key principles to bear in mind.
At a technical level, one of the easiest ways to manage the amount of data that you retain on your customers and users is to automate it. In particular, any user data you hold should be marked with a time limit, after which it is automatically deleted.
This can be implemented at all levels of your systems and most quality business software offers the ability to automatically delete user data after a specified time, or after it has served its purpose.
Not only do these systems ensure that you are compliant with the GDPR, or any other regulations that may apply to your business. They can also be a selling point for your services. As consumers become more and more aware of the sheer amount of data that companies are retaining on them, they are increasingly turning to platforms that are explicit about their data retention policies.
Examples of this can be found in many places, and not just the recent criticisms of Slack. Many leading secure messaging platforms now delete user messages after a particular time period, as do a growing number of the best secure email providers. If used correctly, an automated system for deleting user data can also be part of your offer to customers. Security is already a popular selling point for these types of services and the smart money is on the consumer migration to safer options of messaging and email to continue.
2. Be Transparent
The second principle of responsible data retention is to be transparent with your customers about the data you hold on them, and give them as much control as is possible over it. This was, in fact, the main thrust of the complaint that the EFF made against Slack: that it would be easy for Slack to let their users delete their data without compromising their business model.
Achieving transparency can be more easily said than done, however. One issue is that many companies are simply not aware of just how much data they collect on their customers, or how long this is stored for. Many systems can accidentally collect user data, especially IP addresses, that is then stored automatically. The first step in building a responsible data retention framework is often, therefore, to complete a thorough audit of the data you already hold.
More generally, you should make it clear to your customers that every piece of information you collect is linked to a specific, pre-defined purpose, and implement a secure consent management framework that ensures permission has been given for every use of user data.
3. Be Honest
Lastly, there is a value in being honest with your customers should a data breach occur. This, again, is more easily said than done. This is because many businesses rely on third-party suppliers, such as cloud security providers, who may not report that they have been subject to a successful attack. In fact, because there are fines associated with data breaches, there is a perverse incentive to not report these.
There are numerous examples of this, but the Equifax breach is perhaps the most striking. It became one of the biggest stories of 2018, and involved the personal information of 143 million people being exposed. It was caused, believe it or not, by Equifax not updating their system software. What turned the breach into a major news story, however, was the company did not report that it had occurred for almost 6 weeks. This meant that they incurred extra fines, but also lost them a lot of trust among their customers.
As painful as it might be to report data breaches, therefore, it is always worth doing so. This is particularly true if you hold user data on behalf of other companies, but holds even for small businesses.
Do You Need To Collect User Data?
All of the above principles should inform the way that you work with user data, and can be used as a starting point to define a secure data retention policy.
However, and in conclusion, it’s worth taking a step back and considering what data you need to collect from users, and limiting your data collection to the minimum necessary to carry out business operations.
Doing this has several huge advantages. The first and most basic is that it ensures compliance with the GDPR and other regulatory frameworks. The second is that by limiting the data you collect you will not end up with mountains of information that needs protecting. The third is that you cannot accidentally leak data you do not have.