The over retention of data is a major data privacy risk that needs to be addressed.
Headline Sponsor - The Data Protection and Privacy Hub
Data is the lifeblood of many organisations, driving innovation and informing key business decisions. However, keeping data beyond its regulatory retention period or its usefulness leaves entities vulnerable to harm in several ways.
Organisations that retain too much sensitive data for too long risk exposing much larger volumes of information that could result in major reputational damages among a much broader range of customers.
It is for this reason that data privacy and cybersecurity regulations like the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) demand that firms adopt best practices regarding data retention, stipulating those obsolete records of regulated sensitive data must be deleted.
These regulations pose further risks for organisations. If a regulator investigates and discovers such data has been stored for longer than necessary, they may enforce significant fines and penalties.
These penalties have previously been inflicted against British Airways and Marriott, who faced $230 million and $123 million fines respectively. Indeed, GDPR Articles 5, 13 17, and 25, for example, demand that companies dispose of personal data once its intended purpose has been fulfilled, unless there is a legal or regulatory obligation to maintain it.
Despite these risks, many companies continue to over-retain records and information, and an average of 75% of that information contains some form of personal or sensitive data.
To avoid these fines and mitigate against potential risks, firms must comply with policies and implement defensible data minimisation strategies.
What is data minimisation?
At its core, data minimisation as a strategy is focused on reducing the amount of data an organisation holds in order to reduce storage costs and minimise legal risks.
Simply put, data you don’t have can’t be breached. Further, you don’t have to spend time and money searching for and producing data you don’t have in instances of data subject access requests (DSARs) or produce it during litigation actions.
But how do you know if you need to embrace data minimisation? Here, there are two key questions that organisations should typically ask themselves.
First, could a demand for all documents pertaining to a specific person (such as a DSAR) expose your organisation’s over-retention of personal data? And second, can your organisation delete excess data that would help minimise exposure to judicial and regulatory sanctions, as well as civil liability?
If the answer to either of these is yes, then you should seriously consider minimising the data that you hold.
Here, leveraging proven retention methods and enforcement models is the most effective way to dispose of unnecessary records and data, while meeting regulatory obligations to avoid unnecessary risks.
How do you make a data minimisation strategy?
Of course, implementing a data minimisation strategy is easier said than done. You can’t simply start deleting data – not only will this be a time consuming, costly and resources intensive process to do manually on a regular basis, but there may also be regulatory considerations to account for.
With a lot of moving parts to consider, it is best to get the basics right – something that can be achieved by following five key steps:
1) Create a comprehensive data inventory
Organisations should first work to map out their data, establishing exactly what personal data they hold, the types of media they use, existing processing activities, data subjects and storage locations, as well as retention obligations. In doing so, entities can create a data inventory that is central to any successful and compliant data management strategy. Simply put, if you don’t understand your data, it’s impossible to adhere to regulations, demonstrate diligence with regulators or defend your compliance efforts.
2) Develop logical data retention standards
Once you know your data, the types of information and records you have, you can begin to implement relevant and logical retention and disposal policies. Here, a steering committee should be established comprising IT, legal records and information management and other relevant stakeholders, where key questions are asked to understand how retention periods should be defined. This includes exploring legal holds such as whether there’s legal or statutory requirements for retention, whether there’s a duty to preserve documents for disclosure in legal proceedings, and data that might be necessary for the organisation to keep. Once potential legal and operational hurdles have then outlined, retention policies that would work in practice can be created.
3) Outline policies to the wider organisation
When all parties are in agreement, retention policies must then be communicated and enforced throughout the wider organisation. Here, the key is to ensure any policies are simple and easy to understand. Indeed, the importance of having candid conversations with employees to ensure they understand how important this is cannot be understated. I would also advise process of distributing, tracking, and assessing employee compliance levels with verified and tracked responses.
4) Dispose of unneeded data
When all parties are on board and the relevant tracking capabilities are in place, organisations may begin to delete the vast amounts of unnecessary and redundant data that they have kept in storage. This requires them to review their entire inventory, spanning all media types and storage locations including email, unstructured shared drives, and paper.
5) Establish ongoing controls and automate
This initial disposal process is a key step, but by no means the end of the line. Indeed, organisations must continue to maintain an up-to-date data inventory in order to remain compliant and reduce risks, which means that data minimisation needs to be an ongoing practice. Of course, this can be time and resource intensive. Therefore, firms should leverage technology to streamline data minimisation and retention efforts to ensure defensibility. Automated controls can be deployed to sustain the defensible deletion process, as well as maintain audit trails, update documentation and policies, monitor programs and undertake annual review procedures.
Don’t wait until it’s too late
Organisations that don’t pre-empt issues surrounding data retention are simply waiting for fines or breaches to deliver a potentially catastrophic financial and reputational blow. Given the consequences, they simply can’t afford to over-retain data.
Failure to identify, address, and minimise risks related to data minimisation will drive fines, oversight burdens, litigation and settlement expenses. To avoid these outcomes and achieve complete peace of mind, developing an effective minimisation process is critical.
Register here to attend #RISK 2022 and gain entry to the speaker session Data Minimisation: A Key Element of Risk-Reduction at 12:50-13:35 on 16th November within #RISK’s Data Protection & Privacy Hub.
→ #RISK - ExCel, LONDON: 16th & 17th November 2022
Europe’s Leading Risk Focused EXPO
Risk is now everyone’s business
#RISK is where the whole ‘risk’ community comes together to meet, debate, and learn, to break down silos and improve decision-making. Five content hubs with insightful sessions, case studies, networking, high level thought leadership presentations and panel discussions.