How long does your organization retain customer, employee, and sensitive corporate data, and how do you go about disposing of it? In the absence of explicit regulatory mandates, when and how to delete different types of records and personal data can become a tug-of-war between line-of-business, legal, and security teams.
There are consequences of improper deletion and disposal, as well as excessive retention. In Italy, telecommunications company TIM received a fine of €27.8 million for retaining customer information for too long, among other GDPR violations. Paper records also need to be considered, along with decommissioning of equipment containing sensitive information. Walgreens reached a settlement of $3.5 million for improper waste disposal and regularly discarding customers’ personal information without shredding the documents. Morgan Stanley was fined $60 million for improper disposal of personal data related to its data decommissioning practices.
In the event of a breach, you want the smallest possible amount of data available to threat actors. On the other hand, deleting data prematurely can land you in hot water with regulators if you run afoul of compliance requirements. It can also hinder efforts to innovate with data or put gaps into an organization’s corporate memory.
Keeping track of where your data spreads when you have some employees working from home and some from the office is another challenge many organizations face, especially in the aftermath of COVID-19. And data also exists in many places — on devices, databases, content management systems, data lakes, and more — in many formats (some digital and some physical, such as paper).
Let’s Move Forward
You need a retention and deletion strategy that fits the needs of your business, balancing data protection, privacy, and records retention requirements. This requires cross-functional collaboration, an understanding of your retention and deletion obligations, and technology and services offerings available to support these efforts.
Participate In The Research
This upcoming research will explore a range of challenges and approaches related to retention, deletion, and secure disposal of data — both structured and unstructured. Here’s a sampling of key questions we aim to address:
- Retention schedules. When should an organization delete different types of data when no regulatory guidance exists? If regulatory guidance governs your retention schedules, how do you ensure compliance? How should internal stakeholders resolve differences of opinion about retention?
- Remote work and office closures. Remote work is here to stay for many organizations. What deletion challenges arise in the context of remote work? What about the disposal of physical (paper) documents in the event of a permanent office closure?
- Defensible deletion. Proactive disposal of customer data you no longer need can reduce the impact of a breach, but deleting organizational data can also facilitate avoiding consequences for mistakes and wrongdoing. Who are you protecting when you delete records?
- Deleting structured vs. unstructured data. How does your organization approach deletion for structured data like that in databases versus unstructured data like content in documents and files?
- Deleting data from the cloud. Does your cloud hosting provider have appropriate deletion capabilities for the data you store in the cloud? When do you delete data from the cloud? How do cloud application providers assure their clients that data is gone?
Drop us a note if this is a topic that you have an interest in chatting about over a 30-minute research call. Whether you’re tasked with addressing these issues within your organization and need to vent about challenges, feel you’ve successfully addressed these issues and want to share how, or are a provider of technology or services that can help (and share how you’ve helped your customers), we’d love to connect with you soon!
(written with Isabelle Raposo, research associate at Forrester)