Transforming business frontiers have created an expanding digital universe and explosive data growth, requiring organizations to act as reservoirs and graveyards of data. With the amount of data that exists doubling every 2 years,1 the struggle to administer data magnifies, often resulting in the data endlessly staying put and data disposition undertakings becoming vague and daunting. Although data are instrumental in driving business and consumer value, it is even more critical to have visibility of the data collected and processed, understand their business purpose, and understand what data should be retained vs. disposed.
Defensible data disposition is an important step in the data minimization journey. It enables organizations to use a risk-based approach to systematically dispose of data that have reached the retention threshold set forth by the baseline data retention requirements in alignment with business, compliance and legal obligations, such as Brazil’s Lei Geral de Proteçao de Dados (LGPD), the EU General Data Protection Regulation (GDPR), France’s Commission nationale de l’informatique et des libertés (CNIL), Germany’s Bundesdatenschutzgesetz (BDSG), and the US State of California Consumer Privacy Act (CCPA).
Multiple factors drive the need for defensible data disposition; however, setting up a practical data disposition routine is often challenged by shortcomings as described in figure 1.
Figure 1—Data Disposition Challenges
| Data-hoarding mindset | Organizations may seek to retain data indefinitely due to competitive reasons without considerable thought to the rightful use of the data and its implications. |
| Misconceptions of processed data | The timely tracking and disposition of data are contingent on the visibility of processed structured and unstructured data elements, the architecture of associated systems and data flow intersections, which are often not complete. |
| Limited governance and business integration | Limited governance and coordination among business stakeholders to drive and execute data disposition efforts could be caused by ambiguity on the who, what, why and how of the data disposition effort. |
| Opacity around data retention and disposal thresholds | National and international privacy laws and regulations are divergent on data retention expectations (some have longer retention schedules than others for a selected data type, such as customer complaint). Instilling a common data disposition denominator is often a challenge. |
| Technology limitations | Legacy platforms that are overstrained with incremental repairs and systems with composite or high availability/ zero downtime data architectures cause difficulties and disagreements on executing data disposal. |
A Practical Approach to Starting the Data Disposition Journey
Figure 2 illustrates the methodology for data disposition. The methodology is applicable to the following scenarios:
- Organizations that intend to execute data disposition for retrospective systems and data that are in operation
- Organizations that intend to proactively set up a routine for systematically disposing data when they reach the data disposition threshold
- Organizations that respond to on-demand user requests or exercises of user rights to dispose data when there is no legitimate business need
Figure 2— Data Disposition Methodology
There are steps that set the minimum baseline for executing a defensible data disposition program. In addition, compliance to privacy mandates should be continually reviewed from the perspective of changes and updates to national and international privacy laws and regulations.
Step 1: Foundational Data Disposition Capabilities
A governance and operating model is fundamental for an organization to drive meaningful and timely coordination of a repeatable data disposition routine. The following steps summarize the considerations to establish foundational data disposition capabilities:
- Set up a governance and operating model and operating procedures to execute data disposition.
- Characterize data categories and data elements that are relevant to the organization and identify data retention and disposition requirements based on the organization’s applicable binding rules, business obligations and national/international laws and regulations.
Considerations
Data categories and data elements processed by business process, system and application vary, and data deletion requirements should factor in the data processed and the data subjects that are related to them, such as employees, customers and vendors.
Step 2: Risk-Based Prioritization
Operationalizing data disposition all at once will be challenging, if not unlikely. A risk-based approach to data deletion helps identify and prioritize business processes that are critical and to organize the data disposition undertaking into modules of incremental value. The following steps summarize the considerations to establish risk-based prioritization:
- Define the boundaries of business process and system for data disposition and prioritize them based on factors such as the category and type of data processed, user base (such as customer facing or internal facing), volume of data processed, and associated regions and jurisdictions supported.
- Leverage the prioritized listing to group the business process, system and application based on their compounding risk to the organization.
Considerations
Data are shared between systems; therefore, understanding the data lineage is important to discern the risk-based priorities holistically. A system or application may pose less risk when reviewed in isolation, but it may render a higher risk posture when the upstream and downstream interfaces are taken into account.
Data are shared between systems; therefore, understanding the data lineage is important to discern the risk-based priorities holistically.
Step 3:..
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
