How to ensure companies truly delete your personal data

By Marianne Curphey

When you no longer want to be involved with an organisation, you can ask for your banking or credit card details to be deleted. For many companies, this means pressing the delete key and even sending you a letter confirming that your data has been removed from their databases - but this does not guarantee that your files are destroyed for good.

In fact, data files are often retrievable, due to hidden and backup copies.

According to data specialists Ground Labs, partially-deleted files or those hidden in automatic backups - known as "shadow copies" - are providing cyber criminals easy access to valuable, often unmonitored, caches of customer data.card-data-never-disappears

Why do companies store so much data?
In recent years, companies have been focused on streamlining the sales and service process, and finding out more about their customers, says John Greenwood, a fraud prevention expert and marketing director of Compliance3, a consultancy that helps eradicate payment card and personal data fraud in business contact centres.

"What that has meant for firms large and small is greater access to data," he says.

Greenwood says customers expect staff to be able to locate and retrieve customer details quickly and answer any questions they might have, so personal data has become "central to organisations".

How data is overlooked
In the 12 months leading up to November 2016, Ground Labs found 92% of UK companies surveyed - including  major retailers, banks and service organisations - had files that were supposed to have been deleted, such as birth dates and credit card numbers.

"Consumers assume that the technology employed in businesses goes far beyond the traditional delete key," John Cassidy, vice president of EMEA at Ground Labs, said in a statement. While this is generally true, he said, most organisations do not have a complete picture of where your data is stored.

"They delete on the basis of what is immediately visible," Cassidy said. "This means that copies, backups and data stored in unusual formats can circumvent the deletion process altogether."

Greenwood, though, notes that "Under the Data Protection Act, a company should only keep information for as long as is necessary. However, companies have data archives, and may not hold all the information about the same customer in a single place."

For example: "A typical bank has hundreds of customer databases and you might appear in them all," says Cliff Moyce, global head of financial services at DataArt, a global network of technology consulting and software services firms with expertise in the financial services industry.

He says a contributing factor to the data protection issue is that departments within banks, card companies or retailers have their own lists of customers.

"Every department has its own database, and humans working in those departments can make mistakes," Moyce says. "Sensitive information, including logins, might be passed to marketing departments, for example. Sometimes staff are not aware of the sensitivity of the data they are handling."

He points to the recent hack of Tesco Bank, which the National Crime agency (NCA) says may be one of the most serious cyber-attacks in the history of British banking. Tesco Bank temporarily halted all online transactions after 40,000 customers saw suspicious transactions on their savings accounts.

"The chances of the crime being a remote technical hack via a network intrusion is less than 50%," Moyce says. "Far more likely is the (in)action of a human actor, or weak process or weak management controls when information is shared between providers."

How to ensure your data is erased
Never assume your data has been deleted, Moyce says. Ask the company for proof that it has purged your information. You are also entitled to ask which companies your data was sold to and in what form.

Cassidy said consumers who want to be data savvy should be aware of the following hidden dangers:

  1. Don't just hit the delete key. If you really want something removed from your computer, do not assume a quick tap of the delete key will do the job. Run a full search to look for any files with that name as duplicates or older versions may be stored elsewhere.
  2. Empty your computer trash. Follow up by removing all data from your computer's recycle bin or trash folder.  Make sure you empty this folder on a regular basis. 
  3. Mind your settings. Your web browser can store all sorts of information including passwords and personal data such as email and home addresses.  Know your settings on your devices, and whenever possible, commit passwords to memory rather than relying on your computer.
  4. Backups are just a start. Automatic backups are a useful way of protecting yourself from data loss, but remember that this could include any files you want permanently removed.  Know what is being backed up, and focus on specific folders as much as possible.
See related: What to do if your data is part of a major breach, New EU rules give consumers more insight about personal data, Tough new EU rules aim to ramp up data breach protection

Published: 9 November 2016