Data risks: Data retention policies
Co-authored with Gary Clark, 3C Consulting.
In this article, we’re going to look at the data risk to your organisation arising from data retention policies. In particular, how ineffective (in many cases by design) they are, if their enforcement is left to people to execute. For the people we speak to in compliance roles, this issue is one that keeps them awake at nights…
We live in a world where our every transaction, contact and movement is recorded and stored and this ever growing mass of data is rapidly growing by the nanosecond.
In parallel with the data we create, provide and trade there is also an increasing legal and regulatory requirement for it to be controlled, organised and available for those with which it relates.
As data ages the moment it is obtained, a strong set of parameters are needed to ensure that only relevant information is stored in connection to the purposes for which it was originally obtained. In most companies a data retention policy sets out guidelines in this regard.
But what is a data retention policy?
A data retention policy is a set of guidelines that helps organisations keep track of how long information must be kept and how to dispose of the information when it’s no longer needed. The policy should also outline the purpose for processing the personal data.
Your policy is normally accompanied by a data retention schedule. A document that details the types of document your business may store and process and how long they should be retained for. For example, company accounts – seven years, former customer records – two years and so on. Whatever has been determined by your business as the data retention rules to be applied to that classification of data.
What does the GDPR say about retaining personal data?
The emphasis under the GDPR is data minimisation, both in terms of the volume of data stored on individuals and how long it’s retained for.
Organisations must therefore ensure personal data is securely disposed of when no longer needed. This will reduce the risk that it will become inaccurate, out of date or irrelevant or worse still become the content of a data leak or breach, causing financial and reputational damage to the organisation.
How effective is your data retention policy?
Although you may have a data retention policy, tick, well done, the likelihood that it bares any resemblance to what is actually happening with data retention in your business is extremely low for the majority of organisations. The main reason why this is the case, is that in the majority of organisations the execution of the data retention policy has traditionally been delegated to people to enforce! A strategy doomed to failure from the start…
The scale of the challenge
To effectively apply a data retention policy, it is necessary to classify all data and documents that your organisation processes, stores and manages. It takes roughly 5 minutes to read 3 pages of text. A typical terabyte of documents on a shared drive will contain circa 2 million files. Imagine for the sake of argument that these are 3 pages in length, it would take a human 166K hours to read them all, or at 37.5 hours per week, circa 92 work years (assuming 20 days holiday per annum of course)!
What actually happens in an organisation is closer to hoarding type behaviour…
Hoarding disorder is a persistent difficulty discarding or parting with possessions because of a perceived need to save them. A person with hoarding disorder experiences distress at the thought of getting rid of the items. Excessive accumulation of items, regardless of actual value, occurs.
If you re-read the above, replacing the word items with data, you’ll see what I mean.
Another factor, in the words of one ex. CEO, is that data retention enforcement is “high volume, low emotion” work. It is put off for a rainy day and it never, ever seems to rain!
The result of people-based data retention enforcement strategies is that data retention is not managed as per the policy and the result is that all of the benefits are never realised and the likelihood of the risks and dangers of not doing it are greatly increased.
Leading management consultancy McKinsey and Company recently hinted at the answer…
“Companies will need to increase automation and streamline their organisation if they are not to be overwhelmed by the challenge of sustaining GDPR compliance over the long term.”
This activity is relentless. As the data bank grows, the amount of time needed to constantly review documents and information for retention dates before deciding what to do with them is likely to cost more as there is more stuff to check. Checking, sorting, separating and deleting are mechanical tasks, the judgement comes at the final stage when deciding whether or not to remove.
This is where automation can help with a powerful application such as Infoboss.
Automating data retention policy management with infoboss
Infoboss provides your organisation with the tools to automate much of the process of data retention policy enforcement at scale across all of the data and documents in your organisation.
The software enables you and your data asset owners to engage with your data and apply classification rules to automatically tag data enabling you to gain insight into what data and documents you have without having to read them all. You are then able to use this enhanced data about each document or record of data to apply rules to identify exceptions, even automating the process of data or document removal if that is what you would like to achieve.
Once the rules for identifying and classifying your documents and data, along with their related retention schedules are defined then the system will automatically run in the background continuously monitoring your data, alerting you whenever an anomaly or exception occurs.
If you’d like to see for yourself how infoboss can help you automate your data retention policy enforcement, before the dangers that lurk beneath bite you! Then please get in touch.