By Eric Mueller, Senior Advisor & Strategic Netting Lead at D2LT.

Over the past few years, privacy regulation has brought into keen focus the need for organisations to provide greater care for customer information. This includes formalisation of customers “rights” to know and control how their personal information is used.  Also, it has formalised the obligations of the collectors of personal information to provide safeguards and greater disclosure on personal information usage. 

While changes in how customers and regulators view data privacy may have been a catalyst, several other data management questions are now coming to the forefront:

• How long should customer data and business records be retained?  

• What are the risks associated with over-retention?

• Does data encryption address some or all of these risks?

• What are the appropriate triggers for destruction?

• Should all data and business records be classified?  

• What classification taxonomies should be applied? 

The almost “free” cost of data storage, combined with the proliferation of digital communication, has led to a lackadaisical attitude to organisations’ data management policies and is now introducing real legal / business risk that many organisations are in no position to identify or measure. There is a fear of deleting data, in the faint hope that it might instead be utilised in some beneficial manner in the future – without any realistic and tangible plan to do so.

It is now “make or break”. Organisations needs to adopt a comprehensive and integrated approach – addressing policy, risk management and technical architecture – across the disciplines of privacy, records management, data classification and data destruction. Organisations that continue to address these as siloed disciplines are destined for a costly, ineffective and potentially conflicting set of policies and management practices.  In this case, compliance can never be achieved – and the true risks will not be mitigated, as Eric Mueller, Managing Director, D2 Legal Technology, explores.

Organisational Asset – or Liability?

Until recently, an organisation’s records management policy and obligations were often limited to ensuring that business records were placed in a box and sent to an offsite facility to be retained for a prescribed period of time before being destroyed. For example, some banking regulations require that customer transaction records are stored for seven years following an account closing date.

Today, however, large organisations are creating business records at a dizzying velocity.  A decade or two ago, data storage was an expensive resource, necessitating that applications and databases employed data hygiene practices – regularly purging obsolete data and records to free up data storage space. Over time, technology advances have fundamentally altered the economics of data storage. New data storage technologies have driven the cost per unit of storage to approaching zero. This has resulted in organisations adopting “keep all data and records for all time” philosophies. This practice ensured record retention regulatory requirements were met (because everything was kept) and provided rich data lakes to be mined for customer insights. While maybe not explicitly stated, data hygiene fell to the bottom of the priority list (and stayed there).

Yet, ask your general counsel and compliance departments on their view on business practices that result in keeping data and business records longer than required. I’m sure you will hear that, instead of it being the purported organisational asset, it is an unbounded liability.  In the case of any litigation, any and all information is discoverable.  Over-retained data / information increases litigation expense and exposure. This is an avoidable risk when true data hygiene practices are implemented and followed. You will likely also learn that the highest risks are not in your structured systems and records but are contained within everyday electronic communications: the countless emails, chats, instant messages and PowerPoint documents.  If someone thought that it was a good idea to record Zoom meetings during Covid, these video files too need to be placed in the high-risk category.

Why Data Over-retention Prevails

Data Privacy regulations are forcing organisations to revisit data destruction policies and approaches.  GDPR and CCPA compliance are but the tip of the iceberg.  Similar regulations, like storm clouds, are prolificating around the globe (e.g., Japan’s Act on the Protection of Personal Information (APPI), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)).  The risks of non-compliance with these regulations are real – regulators are now able to levy substantial fines.  Additionally, a data breach that discloses reckless or negligent care and safeguards of personal information can result in devastating headline risk with the swift ramifications of loss of shareholder value, market share, and customer trust.

Organisations that meet GDPR and CCPA requirements may have capabilities to destroy certain customer records – but it is almost assured that organisations are still over-retaining vast amounts of information, including customer information. Most organisations are not even in a position to identify and measure the size of this risk.

Further complicating this is the interwoven architecture of our business information. This architecture developed haphazardly over decades to address a patchwork of process and information flow efficiencies.  It has resulted in a spider web of information that no one in the organisation can fully explain or untangle.  Chief Data Officers (CDOs) have been charged with sorting this out. However, most CDO organisations are still in their nascent stage, having been formed within the past five years and having made de-minimis progress in rationalising the entirety of an organisation’s information architecture. When confronted with this highly interdependent and networked information architecture, deleting or destroying any single data element can unleash a chain reaction of unintended consequences. Therefore, most organisations have concluded that is safer to delete nothing.

This is the perfect storm in which we find ourselves. Regulators are likely to provide a temporary pass to organisations that can demonstrate care for the most sensitive data. But organisations need to find a path to a more sustainable information architecture and data hygiene practices that meet the needs of privacy, records management (retention) and data destruction requirements.

Data Encryption – a temporary mitigate, not a lasting solution

Many organisations are relying on data encryption to protect their data and have wrongly concluded that data destruction to reduce over-retention is not a priority worth the cost and effort.

This is a false security measure. Hackers are actively harvesting and storing encrypted data with the view towards the future use of “post-quantum” compute power that will allow them to crack even the most sophisticated encryption keys. Organisations must take the view that no data is safe and truly secure — it is just a matter of time. The mandate must be to actively destroy data (particularly PII related data) once it’s no longer serving a legitimate business use.

Valuable Insights

Organisations that have launched programs to attack these problems have met with both successes and failures.  For organisations struggling to make progress, there are valuable insights that can be learned from those that have had to retrench from overly ambitious programs:

1. Convergence: Recognise that data privacy, records management and data destruction are three tightly linked disciplines. While each has separate regulations and stakeholders, it is sub-optimal to pursue siloed policies, governance and technical solutions. The requirements and solutions for these three disciplines overlap and are intertwined. Therefore, it is best to address them collectively.
2. Align Strategy, Policy and Organisation Responsibilities:A coherent strategy is to develop an achievable information management strategy that is aligned to a prioritised set of risk mitigation objectives and that is supported by policies (that reflect the same set of risk mitigation objectives.  Lastly, the organisation must support the information strategy by establishing accountable organisations to management and implement the strategy; top-down support for the strategy; and budget to implement any necessary investments in technology or remediation.  Until this foundation is established, real progress can’t be made.

A common pitfall to avoid is that policy is established with regard for what is achievable and without recognition that all risks are not equal.  When this occurs, organisations fail to mobilise resources and spread their effort too thinly – focusing on the easy / quick-wins vs. addressing the areas of greatest risk.

3. Risk Definition– a good starting point is to assess information risks faced by your organisation.  For each risk identified, further analysis should outline the source of the risk; the probability of the risk; the probability associated with the risk; and the consequences of that risk.  This framework can then be used to inform the organisation, set priorities, and should be reflected in both the information management strategy and policies.
4. Success requires a disciplined approach:

– Data is pervasive: determine all data locations that need to be managed.  Establish data owners.  Apply the risk framework.  Set accountabilities for policy compliance.

– Create an inventory and metrics to measure data.  Assess risks by data type and storage location.

– Focus on making pragmatic decisions and pragmatic approaches.  Don’t over commit the organization.

– Surprisingly, unstructured data is far easier to address than structured data.  Given its high risk to the organisation, it is a good place to start.

5. Be prepared– at how few people in the organisation will understand the true challenges associated with deleting / destroying data in structured systems.

Conclusion

In conclusion, information management for any organisation should be at the forefront and top of the agenda as failure to effectively manage data collection, management, retention, and deletion could expose the organisation to a multitude of risks and possible action both from the data subjects as well as the regulators.

By Eric Mueller, Senior Advisor & Strategic Netting Lead at D2LT.

Over the past few years, privacy regulation has brought into keen focus the need for organisations to provide greater care for customer information. This includes formalisation of customers “rights” to know and control how their personal information is used.  Also, it has formalised the obligations of the collectors of personal information to provide safeguards and greater disclosure on personal information usage. 

While changes in how customers and regulators view data privacy may have been a catalyst, several other data management questions are now coming to the forefront:

• How long should customer data and business records be retained?  

• What are the risks associated with over-retention?

• Does data encryption address some or all of these risks?

• What are the appropriate triggers for destruction?

• Should all data and business records be classified?  

• What classification taxonomies should be applied? 

The almost “free” cost of data storage, combined with the proliferation of digital communication, has led to a lackadaisical attitude to organisations’ data management policies and is now introducing real legal / business risk that many organisations are in no position to identify or measure. There is a fear of deleting data, in the faint hope that it might instead be utilised in some beneficial manner in the future – without any realistic and tangible plan to do so.

It is now “make or break”. Organisations needs to adopt a comprehensive and integrated approach – addressing policy, risk management and technical architecture – across the disciplines of privacy, records management, data classification and data destruction. Organisations that continue to address these as siloed disciplines are destined for a costly, ineffective and potentially conflicting set of policies and management practices.  In this case, compliance can never be achieved – and the true risks will not be mitigated, as Eric Mueller, Managing Director, D2 Legal Technology, explores.

Organisational Asset – or Liability?

Until recently, an organisation’s records management policy and obligations were often limited to ensuring that business records were placed in a box and sent to an offsite facility to be retained for a prescribed period of time before being destroyed. For example, some banking regulations require that customer transaction records are stored for seven years following an account closing date.

Today, however, large organisations are creating business records at a dizzying velocity.  A decade or two ago, data storage was an expensive resource, necessitating that applications and databases employed data hygiene practices – regularly purging obsolete data and records to free up data storage space. Over time, technology advances have fundamentally altered the economics of data storage. New data storage technologies have driven the cost per unit of storage to approaching zero. This has resulted in organisations adopting “keep all data and records for all time” philosophies. This practice ensured record retention regulatory requirements were met (because everything was kept) and provided rich data lakes to be mined for customer insights. While maybe not explicitly stated, data hygiene fell to the bottom of the priority list (and stayed there).

Yet, ask your general counsel and compliance departments on their view on business practices that result in keeping data and business records longer than required. I’m sure you will hear that, instead of it being the purported organisational asset, it is an unbounded liability.  In the case of any litigation, any and all information is discoverable.  Over-retained data / information increases litigation expense and exposure. This is an avoidable risk when true data hygiene practices are implemented and followed. You will likely also learn that the highest risks are not in your structured systems and records but are contained within everyday electronic communications: the countless emails, chats, instant messages and PowerPoint documents.  If someone thought that it was a good idea to record Zoom meetings during Covid, these video files too need to be placed in the high-risk category.

Why Data Over-retention Prevails

Data Privacy regulations are forcing organisations to revisit data destruction policies and approaches.  GDPR and CCPA compliance are but the tip of the iceberg.  Similar regulations, like storm clouds, are prolificating around the globe (e.g., Japan’s Act on the Protection of Personal Information (APPI), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)).  The risks of non-compliance with these regulations are real – regulators are now able to levy substantial fines.  Additionally, a data breach that discloses reckless or negligent care and safeguards of personal information can result in devastating headline risk with the swift ramifications of loss of shareholder value, market share, and customer trust.

Organisations that meet GDPR and CCPA requirements may have capabilities to destroy certain customer records – but it is almost assured that organisations are still over-retaining vast amounts of information, including customer information. Most organisations are not even in a position to identify and measure the size of this risk.

Further complicating this is the interwoven architecture of our business information. This architecture developed haphazardly over decades to address a patchwork of process and information flow efficiencies.  It has resulted in a spider web of information that no one in the organisation can fully explain or untangle.  Chief Data Officers (CDOs) have been charged with sorting this out. However, most CDO organisations are still in their nascent stage, having been formed within the past five years and having made de-minimis progress in rationalising the entirety of an organisation’s information architecture. When confronted with this highly interdependent and networked information architecture, deleting or destroying any single data element can unleash a chain reaction of unintended consequences. Therefore, most organisations have concluded that is safer to delete nothing.

This is the perfect storm in which we find ourselves. Regulators are likely to provide a temporary pass to organisations that can demonstrate care for the most sensitive data. But organisations need to find a path to a more sustainable information architecture and data hygiene practices that meet the needs of privacy, records management (retention) and data destruction requirements.

Data Encryption – a temporary mitigate, not a lasting solution

Many organisations are relying on data encryption to protect their data and have wrongly concluded that data destruction to reduce over-retention is not a priority worth the cost and effort.

This is a false security measure. Hackers are actively harvesting and storing encrypted data with the view towards the future use of “post-quantum” compute power that will allow them to crack even the most sophisticated encryption keys. Organisations must take the view that no data is safe and truly secure — it is just a matter of time. The mandate must be to actively destroy data (particularly PII related data) once it’s no longer serving a legitimate business use.

Valuable Insights

Organisations that have launched programs to attack these problems have met with both successes and failures.  For organisations struggling to make progress, there are valuable insights that can be learned from those that have had to retrench from overly ambitious programs:

1. Convergence: Recognise that data privacy, records management and data destruction are three tightly linked disciplines. While each has separate regulations and stakeholders, it is sub-optimal to pursue siloed policies, governance and technical solutions. The requirements and solutions for these three disciplines overlap and are intertwined. Therefore, it is best to address them collectively.
2. Align Strategy, Policy and Organisation Responsibilities:A coherent strategy is to develop an achievable information management strategy that is aligned to a prioritised set of risk mitigation objectives and that is supported by policies (that reflect the same set of risk mitigation objectives.  Lastly, the organisation must support the information strategy by establishing accountable organisations to management and implement the strategy; top-down support for the strategy; and budget to implement any necessary investments in technology or remediation.  Until this foundation is established, real progress can’t be made.

A common pitfall to avoid is that policy is established with regard for what is achievable and without recognition that all risks are not equal.  When this occurs, organisations fail to mobilise resources and spread their effort too thinly – focusing on the easy / quick-wins vs. addressing the areas of greatest risk.

3. Risk Definition– a good starting point is to assess information risks faced by your organisation.  For each risk identified, further analysis should outline the source of the risk; the probability of the risk; the probability associated with the risk; and the consequences of that risk.  This framework can then be used to inform the organisation, set priorities, and should be reflected in both the information management strategy and policies.
4. Success requires a disciplined approach:

– Data is pervasive: determine all data locations that need to be managed.  Establish data owners.  Apply the risk framework.  Set accountabilities for policy compliance.

– Create an inventory and metrics to measure data.  Assess risks by data type and storage location.

– Focus on making pragmatic decisions and pragmatic approaches.  Don’t over commit the organization.

– Surprisingly, unstructured data is far easier to address than structured data.  Given its high risk to the organisation, it is a good place to start.

5. Be prepared– at how few people in the organisation will understand the true challenges associated with deleting / destroying data in structured systems.

Conclusion

In conclusion, information management for any organisation should be at the forefront and top of the agenda as failure to effectively manage data collection, management, retention, and deletion could expose the organisation to a multitude of risks and possible action both from the data subjects as well as the regulators.