Reduce Corporate Clutter - Save by Deleting
Organizations struggle with the large volumes of unnecessary data they store and manage. According to IDG, unstructured data is growing at a whopping rate of 62% every year, with a significant part of it being redundant, obsolete, and trivial (ROT) data. Companies spend significant capital and resources for maintaining this data, while increasing their legal and compliance risks.
To tackle this problem, organizations need to dispose of data that does not serve any business, legal or regulatory purpose. Regular disposal of unnecessary data also leads to improved Information Governance (IG) and data management. Defensible deletion should be a crucial part of every company’s data management practices to achieve regulatory compliance. While it sounds simple, it is difficult to implement it in practice.
What is defensible deletion?
Defensible deletion can be simply understood as the periodic elimination of ROT data in a manner that legal requirements to preserve data and ongoing business processes are not impacted. The first step in defensible deletion is determining what needs to be kept, archived, and disposed of.
From a legal perspective, companies can delete material that is not presently under a legal hold and nor required for a statutory or business purpose. As per the Federal Rules of Civil Procedure 37(e), courts may not impose sanctions when a party fails to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.
Here are some considerations for successful defensible deletion:
1. Get “them” on board
Successful defensible deletion requires the collaboration and buy-in of different parties within the organization.
A cross-functional committee must be involved to plan the strategy for defensible disposal. This should include the important stakeholders from IT, finance, business units, and subject matter experts to ensure that the different types of data held within the organization are clearly understood.
Legal and records management professionals need to be actively involved in the process to avoid any slip-ups. The business users creating and owning the data should also be closely engaged with the program for it to sustain.
2. Chalk out a strategy
Your strategy for defensible deletion must complement and serve your company’s business approach and needs. A comprehensive data map can give perspective about the types of data stored across the company’s various systems. An overall IG policy can be laid out based on this information, which can help prepare an appropriate deletion strategy.
3. Build a robust framework
The process framework for defensible deletion should describe the value of different data sets and the risks associated with them. A records retention policy should be developed to establish criteria for deletion.
The data categories and locations under legal hold should be clearly identified and a legal hold policy should be drafted and implemented to preserve such data. In addition to data on legal hold, it is necessary to recognize data that is required for the organization’s regulatory obligations and business processes.
Executive support is critical as decisions around deletion could face challenges without buy-in from all the stakeholders. This can be avoided through alignment from all the parties around what data needs to be retained and what can be deleted.
4. Classification strategy
Data classification involves categorizing the data based on its relevance and sensitivity. Data classification enables the management of data in a more structured manner. It allows easy identification and decision-making on how to to store, sort, or delete data.
Categorization of data can be content-based, context-based, or user-based. Typically, corporations classify their data as sensitive, confidential, private, proprietary, or public. Classification allows the stakeholders to perform an in-depth analysis of the data based on its business value, associated risks, legal preservation obligations, etc.
The process of deletion can be started with a specific criterion, like the data type, age, accessibility, etc., and if feasible, the criteria for deletion can be further expanded to get more refined results. It is vital to have a properly thought-out classification strategy and approach by incorporating the right technology to automate as much of the process as possible.
Challenges and Solutions
The biggest challenge in defensible deletion is the classification of data. It is complicated to track down the data stored across multiple systems and servers for many years, especially if the organization deals with a wide range and different types of data.
In addition to the best tools, defensible deletion also requires the involvement of the best minds for successful execution. Auto-classification of data can be one of the approaches to simplify the process, but it would require metadata to be accurately maintained and elimination of false positives.
Ideally, adopting an approach of data minimization from the beginning will simplify the process. Data minimization can be defined as the practice of restricting the collection of data only to the extent which is directly pertinent to fulfilling a specified purpose. Organizations should always consider data minimization while planning their strategy for data management.
Data minimization has been mentioned within the GDPR as one of its important principles; its article 5(1)(c) states, “personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)”. Apart from limiting the collection, data should also be held only for as long as you need it.
As storage costs kept decreasing, many organizations have not made an active effort to delete unwanted data. This was likely driven by the assumption that the stored data could be of some use in the near future. This has resulted in large quantities of unwanted data accumulating in organizations.
Embracing data minimization will save time, money and reduce risk. Data minimization along with defensible deletion will help your organization be compliant with the increasing number of privacy regulations.
To effectively delete the unwanted data, organizations need to understand the data they store. A robust data mapping system is critical for managing this process. Meru Data’s automated data mapping and continuous rule-based monitoring create an actionable data inventory and map of data flows across your business processes. We provide holistic solutions for classifying this data and managing deletion. We also help you demonstrate auditable compliance with regulatory requirements for handling personal data. Our application enables collaboration across different functions involved with governance efforts and makes it is easy for your IT departments to execute and track the progress of these efforts.