Privacy Ref Blog

Data Ages like Milk…

Very common questions we get from clients are how much information should they collect and how long they should keep it.  The standard answer is always to collect only what you need to do business and get rid of it when you no longer need it.  Now the questions become what information is truly needed and when is it no longer going to be used?

“Fresh” Data Helps Facilitates Business

In the majority of cases, business will need the information of a data subject to provide products or services to that person.  For example, Online retailers will need an address and credit card number in order to process a purchase and deliver a product to the data subject.  Generally, once the product is sent and you receive confirmation from your delivery service of choice, you have two options.  Most businesses will keep this information so they can reference it to send marketing materials, such as special offers, to the data subject.  The other option, if the subject opted out of receiving further contact, is to simply remove the data, destroying it and removing any responsibility your business may have had.

Data After the Sale

If you retained the information, there are some considerations you have to make.  Consider a car dealership.  They keep records on who they sell cars to, but they also have information related to sales, such as credit-related reports.  They can use the information about what car was sold and when to provide information on things like recalls, possible repairs or other check-ups, as well as track repairs to diagnose future problems.  This is great, since the information they keep is allowing our hypothetical dealership to provide value.  The data is still relevant to their business and providing to their customers.  The question we should be asking now is how long will that car last and when, if ever, do we get rid of the customer records?

If they found the average ownership of a car was 8 years, the dealership may purge information from their records at certain times.  This prevents them from keeping irrelevant data that could be lost in a breach and create risk to their business.  Additionally, they would not remove all the information, only the information that no longer has value to add to business with the data subject.  If they buy a new car for example, or the lease was up and they no longer have payments to make, the dealership could remove data related to the old vehicle, but keep info like email or physical addresses for marketing purposes.  Remember, information that no longer provides value to you or your customers costs money to store and increases risk to your business in the event of a breach.  Removing the data removes the risk, you cannot lose information you do not have.  Most importantly, you did not lose anything because the data was no longer helping you run your business, making it easier to find the relevant information to that data subject.

Nobody Likes Bad Milk

I have a saying that data ages more like milk than wine.  Data that has lost its original value is “spoiled data” that, like spoiled milk, only stinks up your server with no real value.  If you have a breach, keeping this data will be lost and result in potential financial loses, but if there was no breach, you gain nothing from keeping this kind of data.  This is where businesses need to step up.  In a data retention policy, your team should decide on a time line for your data.  When is it taken, where does it go, what is it used for, and who is using it?  Finally, when is that information “spoiled” and should therefore be removed and destroyed?  Generally, these are not just retention policies, but also destruction policies.

If you are not sure of the answers to these questions, consider a data inventory.  A data inventory will help you determine what you have, how long you’ve had it, and enable you to act on out-of-date data that can be removed from your server.  This simple act can provide you the information to build a strong, sustainable privacy program.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on February 23, 2016 by Ben Siegel

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

June 4, 2018

My First Taste of GDPR
It is no secret that I am, for lack of a better term, a nerd. I am also a Privacy Consultant here at Privacy Ref, so I usually pride myself on knowing about privacy goings on in the world. However, for the first time I was bamboozled by changes to a privacy policy. Continue reading this post...

April 30, 2018

Defining GDPR for Non-Privacy People
During the IAPP’s most recent Privacy Summit, I was approached with an interesting question. “I am a privacy professional and I know why GDPR is important. I know about the fines and requirements for compliance, but few others at my company do. How do I explain GDPR to my colleagues effectively?” I responded with a quick and simple answer that probably did not cover all the bases, so I wanted to write up some deeper thoughts on the subject. Continue reading this post...

Other Recent Posts