24) Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?
Answer yes if your organisation has a defined process for terminating a client contract and removing all relevant client data securely. Please describe the process in the notes or provide a supporting document (as a PDF file) as evidence.
What is it?
A contract’s termination clause(s) stipulate(s) what happens when the contract is terminated by either or both parties.
Part of these clauses should include what happens to customer data at the end of the contract. Typically, this involves secure and guaranteed deletion of the data within a certain time frame, but this can vary based on the nature of the service and the nature of the relationship.
Certain types of data may also be exempt from the standard terms. For example, because it’s needed for evidentiary reasons in a legal dispute around the contractual breach, because it has been requested by law enforcement, or just complexities due to the particular nature of the service.
Why should I have it?
A detailed process including terms of how and under what conditions and timeframes customer data is to be deleted, given back to the client, or even kept, ensures transparency and clears up any issues around liability over data between the parties.
Without clearly identifying what happens to data under specific circumstances, a number of legal issues can occur due to grey areas over retention, expected processing times, and the processor’s possible need to retain some of the data longer than the client would like for legal or compliance reasons. In some cases, the processor may provide enrichment of customer data and the question of whether and in what conditions the client is entitled to the enriched data in the event of contractual termination, or even the supplier going out of business.
By clearly identifying the various scenarios and how they are to be handled, and referring to those terms within contracts (or policies/processes referred to within the contracts), both client and supplier understand exactly what their expectations and obligations are, providing assurance about what will/needs to happen with the data and what they need to do to avoid any liability.
How to implement the control
As mentioned above, terms around how customer data is handled at the termination of contracts should be defined or referred to within your client contracts/agreements.
Crafting these terms properly requires an assessment of the types of data processed, how they are processed and stored, what retention processes and requirements apply to them, and what legal considerations apply. This should therefore be done with your IT function to identify where the data may reside (including backups), relevant parts of the business that may use or need the data, and your Legal department to make sure all operational and legal aspects are covered.
You will also need to put in place the technical capabilities to allow you to carry out your obligations upon contract termination. The NCSC have published practical advice and guidance on secure destruction of data here and here. You should ensure you have securely erased any hidden areas on the Hard Disk Drive of your devices, as well as the easy access storage. If you use a third party tool or service to enable secure deletion, we recommend you use one that has been approved by the NCSC. You may have to provide evidence or certificates of deletion to your clients.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and processes that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
