A data retention crisis?

Armed with significant enforcement powers, regulators continue to grow bolder and more confident in taking enforcement action in support of data regulation and the protection of citizens’ digital information. By Mark Keddie, Global Director of Privacy, Veritas Technologies.

  • Thursday, 22nd July 2021 Posted 3 years ago in by Phil Alsop

While some data regulators have adopted a more sympathetic tone on account of businesses’ continued struggle with COIVD-19, others have shown no such leniency with multi-million Euro fines. For multinational business, the challenge of knowing what data you have, and how to manage it compliantly so as to avoid becoming the next data disaster headline remains a Board risk.

Data breaches are often viewed as being sensationalist and frequently contentious in nature and yet the scope of what constitutes a data breach remains poorly understood. Consequently the most seemingly innocuous risks such as data retention, can emerge as the unexpected root cause of regulatory failure.

Consider the dark data the business didn’t realise it had, or the personal data it had forgotten to delete after selling off a part of the business. Maybe it’s the poorly enforced data retention strategy that’s resulted in personal data being stolen by cybercriminals from an unsecured, forgotten server. A data breach that orginates from poor data retention practices can be just as difficult and costy to manage as the more headline-grabbing cybersecurity incidents that we’ve become all too familiar with.

Businesses need clarity across their entire data estate to be confident that they are meeting their regulatory obligations, but without the tools that automate data classification and deletion policies, the process of classifying and deleting data can be extremely resource-intensive.

An unknown quantity

A combination of historic best practice, a fear of deleting data and the growing avilabilty of large-scale cheap storage, means employees, IT staff and data managers can mistakenly believe that they’re doing the right thing by storing ‘everything’ without a real understanding of the data that they are retaining. The resulting data bloat can have real consequences when it comes into conflict with newer regulatory and legal obligations.

Many industries, like the banking sector for example, have established requirements to retain data for set periods of time which have become ingrained in the consciousness of long-term employees. However, regulations like GDPR dictate that data should only be held for as long as required for its orginal purpose and offer inividuals the ‘right of erasure’. It is unsuprising then that businesses are confused around what they can and should keep – and for how long – often chosing to ignore the issue, keep all their data and quietly forget about the risk.

With data sets becoming more complex and increasingly challenging to manage and secure, the risk of data retention is becomining onipressent. The growing popularity of hybrid multi-cloud environments – where data is stored across both private on-premise networks as well as a range of cloud environments – means data can exist in multiple, often disparate, locations in an organisation for years to come. It’s a situation that’s exacerbated if deletion or categorisation of that data is delayed or ignored, with much of it simply forgotten and going ‘dark’. The most recent research from Veritas found that half (52%) of an organisation’s data, on average, can be classified as dark – meaning that the person who’s managing it, doesn’t know what it is, or may not know it exists.

Dark data quickly loses its strategic value and evolves instead into a data risk. Unknown volumes of dark data mean an increasing likelihood of data incicents with the potential for breaches, fines and reputational damage. Just how confident can a business be that there it knows where all its data is and how that imapcts its compliance obligations?

Insight and automation

Organisations need a fresh approach to data management. It can no longer be treated as a low-priority, back office function. A new approach requires both operational and cultural changes across organisations, but it also demands ownership and accountabilty if the compliance risk is to be effectively mitigated.

Every board member or departmental head today is, in their own way, a chief data officer, accountable for their business unit’s data. That means setting a proactive tone form the top that

every business leader and data owner should take a principal role in defining the data deletion strategy, resolving the management challenges that frustrate them and provding employee education to meet data retention policies.

To enable this, businesses must maintain their focus and improve data visibility by adopting tools that help organisations see what data they have and where. With these in place, better-informed decisions can be made on what data to keep and what to delete. Deploying tools to automatically label data on upload, limiting error and improving future accuracy can reduce risk with data set to expire after a pre-defined period of time and within regulatory obligations. This prevents unclassified and vulnerable ‘dark’ data from building back up again over time.

Careful data management, clear policies and tools for classification and deletion are all central to meeting regulatory compliance. To execute it effectively, a business must give its employees the insight, confidence and control over the data they handle, and enable them with the right tools and technologies. By encouraging data responsibility and implementing new automation capabilities, they can cut through the fog and find a safe path through the regulatory landscape.