Businesses today have a tremendous opportunity to use data in new ways, but they must also look at what data they keep and how they use it to avoid potential legal issues.
Forrester predicts a doubling of unstructured data in 2024, driven in part by AI. But the evolving data landscape and escalating cost of breaches and privacy violations call for a critical look at how to create an effective and robust data retention and deletion strategy.
While the expected volume of data is growing, so are the cost of data breaches and privacy violations.
To manage data effectively, organizations need to craft a policy to delete obsolete data.
The longer a company stores data, the more opportunities for a data breach or fines for violations of privacy law.
The first step to minimize this risk is to take a comprehensive look at how a company is using its data, along with the nuanced considerations and tangible benefits of a data retention strategy.
Organizations often find themselves compelled to delete obsolete data due to legal requirements that are core to data protection laws.
The best way to identify which data can be considered obsolete, and which data will add ongoing business value, is to start with a data map that outlines the sources and types of incoming data, which fields are included and which systems or servers the data is stored on.
A comprehensive data map ensures a company knows where personal data lives, types of personal data processed, which types of protected or special category data are processed, the intended data processing purposes and the geographic locations of processing and applicable systems.
A meaningful data inventory and classification is the foundation for a solid privacy program and helps provide the data lineage needed to understand how data flows through a company's systems.
Once a company has a map of their corpus of data, legal and technical teams can work with business stakeholders to determine how valuable specific data might be, what sort of regulatory restrictions apply to storing that data and the potential ramifications if that data is leaked, breached or retained longer than necessary.
Imagine a data analytics team at a financial institution that wants to ensure lending eligibility models are trained on as much data as possible.
To reduce the change of inaccurate predictions, discuss with business stakeholders how data becomes stale and less valuable over time and which data is most reflective of today's world.
To help decide how long to keep data, start with affirmative legal obligations around maintaining financial records or sector-specific regulations around transactions that entail personal data.
Look at legal statute of limitation periods to determine how long to keep data if it's needed to defend against a potential lawsuit, and only keep personal data that's needed for a potential litigation defense, such as transaction logs or evidence of user consent, rather than every piece of data on individual users.
When it's time to clear out less valuable information, data can be deleted manually based on the retention period for each data type defined in the retention schedule.
Truly deidentified data generally falls under exemptions in data protection laws, but doing this correctly requires stripping out so much value that there's not much left to use.
As we've outlined above, there are several considerations in addressing obsolete data, including foundational data mapping and lineage, defining retention period criteria and working out how to implement these policies efficiently.
Navigating the intricacies of data deletion requires a strategic and informed approach.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
This Cyber News was published on venturebeat.com. Publication date: Sat, 16 Mar 2024 18:13:06 +0000