The Growing Risks of Data Retention

4 Min Read By: Deeanna Fleener

Since the dawn of the digital age, companies have collected and stored electronic information, from emails and text messages to sales figures and customer analytics. With the ever-increasing volume of data, companies have discovered potent insights and improved operations. 

But those benefits have not come risk free. As stewards of growing amounts of sensitive data, companies have exposed themselves to cybersecurity threats, legal liabilities, privacy breaches, and a burgeoning list of regulatory requirements.

As those threats have grown, they have underlined the importance of a company knowing how much data it maintains, where it’s stored, and how it’s secured. Those threats also have highlighted why a data retention and disposition protocol is crucial. 

Amidst the frenetic pace of business today, these issues can seem easy to ignore or put off for another day. However, it’s not hard to imagine how data can snowball into a major liability.

After all, at many companies, data management didn’t always pose such a threat. With responsibility for “information governance,” IT departments often took on the assignment. But as companies grew, IT departments became overwhelmed with competing priorities. And soon, what was once five terabytes of data grew into one hundred terabytes spread across the globe without oversight or controls. Add in legacy data, such as backup tapes and proprietary systems, and it becomes even more overwhelming.

Companies can no longer afford a leave-it-to-IT approach to data management. More than ever, they need to develop a cross-functional team from legal, privacy, records management, cybersecurity, and IT that can establish, monitor, and, most importantly, carry out policies. 

The importance of data mapping 

Every company’s data risk profile is different. A company in a regulated industry like financial services or healthcare will have certain considerations that may differ from companies that operate across borders where data privacy is more complex.

Knowing where data lives is essential for any company, however. Creating a data map is step one in that process.

A data map indexes a company’s data. It can be created with customized software or a text document or spreadsheet. The key is going through the process of systematically identifying all the data inside a company and its location. Ideally, the map should also include best practices around how to save data and when you can legally delete data.

The benefits of going through this process are enormous. For one, it allows for better usage of a company’s data. Employees can better understand what value they can extract by visualizing the kind of data the company has and where it sits. Using these metrics can provide a wealth of information within the company and across its clients.

Creating a map also forces companies to organize their data. Different buckets of data will likely have different retention requirements, and some might have special access permission requirements. Those buckets could include personal employee information, commercial operations, and financial metrics. There might also be buckets with IP, trade secrets, and customer lists.

Avoiding costly data searches 

Importantly, a data map provides crucial help in a crisis like a cybersecurity breach. Knowing where to look for evidence of a breach can save time. If your company is involved in litigation, a map can also make discovery more efficient.

Or suppose your company gets a data subject access request (DSAR), a demand consumers may make for data collected about them under privacy regulations such as Europe’s General Data Protection Regulation or the California Consumer Privacy Act. Fulfilling a DSAR, which often must be done quickly, is cheaper and easier with a good data map.

Not all data is created equal. When creating a data retention and deletion policy, every company should determine whether holding onto data serves a business purpose. Obviously, companies must keep business records required by regulatory entities or potentially relevant in ongoing litigation.

Enforcing data deletion policy 

However, there is a whole universe of data that falls outside of regulated business records. Whether data is considered beneficial may be in the eye of the user. So, creating a rules-based approach that can be monitored and automated will help to ensure consistent application across the company. 

Just as important as this rules-based retention approach is a policy about how to dispose of data. Neglecting this step can have significant economic consequences. While the cost of data storage is less, there is still a cost associated. Additionally, if your company is sued, relevant data that has not been discarded becomes discoverable, even if it should have been deleted under the company’s policy. A lapse like that underscores the need for routine training and vigilant enforcement of the data retention policies.

The challenges around data will only expand. As companies grow, enter new markets and merge, they add more data and more risk. Managing these risks can be painstaking and costly in the short term, but they will save companies time and money in the long term.

By: Deeanna Fleener


Connect with a global network of over 30,000 business law professionals


Login or Registration Required

You need to be logged in to complete that action.