The importance of developing defensible deletion practices

Published: Tuesday, 09 August 2022 09:27

Ever-increasing data volumes can hamper organizations, creating enterprise risks. So how do you create defensible deletion practices to improve data risk management? Ray Pathak explains…

Data has become one of the most valuable assets in the organization. However, digitalisation in tandem with a ramp-up in data volumes is resulting in a mountain of data that then bogs down processes and a thorny tangle of data-related challenges.

Many organizations have so much data that they rarely know exactly what they have in full detail, or where, or its origins, let alone how to make the best of it in terms of driving fresh business insights or other outcomes. So the question becomes: How can we better manage data in ways that don't introduce yet more risk?

Defining data minimisation

Innovators have discovered that data minimisation could play a much stronger role. This doesn't mean giving up on data-driven insights. Rather, data minimisation refers to the practice of only collecting, processing, and storing the data that is really needed to meet objectives, drive outcomes, including for e-forensics requirements, and for compliance purposes.

Data that isn’t retained and kept can’t be breached, or disclosed during litigation or through a data subject access request (DSAR), for instance, under the terms of the General Data Protection Regulation (GDPR). Therefore, it follows that minimising data retention can help safeguard an organization.

Yet the growing requirement for protection also sets regulatory compliance requirements in train for organizations - which means that often, those same organizations are compelled to retain specific data for an allotted amount of time. How can this circle be squared? The answer is to minimise the storage and archiving of data by devising and implementing a retention policy.

Reducing risk

For example, if an organization were to stipulate that all video recordings of in-house and even remote meetings were to be kept by default and preserved indefinitely, these then become a potential risk. They may be viewed by authorised parties but could equally be seen by others, or leaked. Also, in most jurisdictions, they would be deemed discoverable if a civil litigation suit was brought against the company. Now this source of data which was initially kept as a record of an activity to safeguard the company can be used against it.

A reasonable, documented, retention policy requiring the deletion of video recordings after a certain amount of time would mean that such data would no longer need to be preserved ad infinitum. Eliminating this data would reduce risk as well as storage costs, protect the business by reducing the breach surface for attackers, and potentially save the business millions, were it to be compelled to locate and declare this data during e-discovery.

Data minimisation doesn't need to entail the complete erasure of data, however. Rather, it's more about triaging and storing the right volumes and types of data at the correct level and for the right amount of time, in ways that will maximise compliance and minimise risk. In addition, once rules are set around data retention that address the organization's requirements and the compliance with regulatory requirements, the data itself can be more efficiently leveraged and used.

Detecting ROT

Determining the difference between data that is ‘redundant, obsolete, and trivial’ (ROT) and that which must be retained is now a prime focus for businesses, as they concentrate their efforts on defensible deletion practices and honing their data retention and minimisation policies.

Crucial to this is having some sort of accurate mapping or inventory of data. This must be accurate, as IT and other departments including legal need to know where data is stored, what that data is, and who has access to it. Data in backup storage, log files, documents, images and even paper must all be considered as well as all applications in use, including which departments use them and how they are being used.

Continuous scanning of an organization's structured, semi-structured, and unstructured data can give up-to-the minute visibility into all the organization’s data and doing this on a continuous basis provides the organization with a clearer view of how to mitigate risks and document progress against compliance and regulatory requirements. 

Yet organizations cannot afford to stop at the simple implementation of an effective data retention policy. The data retention policy itself is only just the beginning of the process of managing risk. Network segmentation, data segregation, and encryption at rest and in transit can also help protect information and reduce the impact of any breach, for instance.

Additionally, to really gain true benefits, the team will also need to ensure enterprise-wide buy-in, from the top down, to ensure e-discovery protocols are observed, as well as stress-tested against relevant situations and real-world conditions. To be optimally effective, this should include ongoing education and training, not just for cyber security professionals, but across the entire organization.

Unfortunately, although many if not most companies have made reasonable progress when it comes to implementing data retention policies, aspects of follow-through that are ignored mean these policies are often not fully realised in practice.

For instance, a recent survey shows that some 40 percent of e-discovery professionals questioned implicitly trust people to look after the data correctly, while a similar proportion attempt to solve the issue by collecting and storing too much data – which is not only potentially a waste of resources but can introduce more risk.

Taking an integrated approach

Tracking personal data everywhere it resides and describing how long it should be retained for before defensibly deleting it can result in massive challenges - including cost - for organizations. It’s therefore recommended that integrated retention operations to provide support for any type of data, whether offline or online, on any device or even stored as paper records, in any location, are highly desirable or even essential.

It is also possible to manage data in conjunction with a data regulation library that covers complete data retention requirements from multiple countries, thereby ensuring that the organization stays on top of all compliance stipulations.

Lastly, an appropriate level of orchestration is needed, with data retention processes set to run as required, and as data policies evolve. This will ensure the organization can both continue to protect confidential information while remaining poised and ready to respond to any regulatory demands.

The author

Ray Pathak is the Vice President of Privacy for Exterro, the leading provider of Legal GRC solutions. He has been involved in the privacy space for over 15 years as a privacy operations leader and privacy software business executive. He holds a Bachelor of Commerce degree from Ryerson University in Toronto, Canada and a Fellowship of Privacy certification from IAPP.