Security versus privacy — when should we choose to forget?

What has changed?

  • The General Data Protection Regulation (GDPR) (EU) 2016/679 and UK Data Protection Act (2018) has expanded the definition of ‘personal data’ to a much wider scope.
  • As a result of the above, we need to pay a lot more attention to tertiary identifiers that previously didn’t receive a lot of focus — such as online identifiers.
  • GDPR programmes made people realise they were never really compliant with previous data protection legislation so did a huge catchup which took more effort than it should have done.

What hasn’t changed?

  • We should have already been thinking about how long we keep data for — regardless of purpose: function; analytics or security et al.
  • The rights of the Data Subject being important.
  • Organisational needs for analytics and security being important.
  • Personally Identifiable Information (PII) only being a subset of ‘Personal Data’.
  • Personal Data should only be collected legally and retained for as long as reasonably required.

What does this all mean?

Data retained for analytics

Data retained for security

A pseudo-informed stab at data retention timings

Internal systems

  • administrative access and activity through administrative functions like SSH Bastions and AWS Console
  • access and merge history on repository platforms such as
  • access to email accounts or document services

External systems

  • end-user logins
  • material end-user actions (for example, making a payment or what you would consider a ‘transaction’)
  • contact and password changes (not the data itself, but the changing thereof)

You *should* collect the data you *need*

Use the data you have

The concepts are simple, implementation is hard

The underlying and overriding principle

The thin blue line between technology and everything else.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Keeping Secrets A Secret: Stop Sharing Sensitive Information Via Email And Chat

Announcing the First $ORE Token Meme Contest

Why the Government Shouldn’t have Access to Your Digital Data.

{UPDATE} Awesome Fashionista Nail Beauty Salon Hack Free Resources Generator

Can we stop intercepting user traffic (aka, Man-in-the-Middle) please?

StorX — An Environmentally-FriendlyAlternative to Mega Cloud

{UPDATE} WordYoga: Word Game Collection Hack Free Resources Generator

Pwning Cisco Devices Using Smart Install Exploitation Tool (

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joel Samuel

Joel Samuel

The thin blue line between technology and everything else.

More from Medium

Olympus Odyssey by

What’s coming with Symmetric v2?

ERC-1155 Fractional Vault Bug Postmortem [No Incidents 😊]