The answer is simple; delete it (unless retention is required by law or contract)! Virtually every company processes personal data in some form or fashion. The term “processing” is defined broadly under most data protection laws to mean “any operation or set of operations which is performed on personal data.” The general rule is that when a business’ processing of personal data is complete, the data must be returned or deleted. Typically, data deletion arises:
- when required contractually (i.e., in data processing agreements to comply with applicable data protection laws such as Europe’s General Data Protection Regulation’s (“GDPR”) Article 28(3)(g));
- when requested by data subjects exercising their “right to be forgotten”/deletion/erasure under applicable data protection laws. This means that, in some cases, even if a company’s processing of personal data is incomplete, the processing can be cut short if a person requests that their data be deleted.; and/or
- as a requirement to do business with other companies. In some instances, data deletion or a process for deletion must exist to do business with other entities. For example, Facebook requires companies to have a policy/process for individuals to request their data be deleted (even if there is no applicable law imposing this requirement on the company) if a company wants individuals to create an account on the company’s website using their Facebook credentials.