Smart Data Retention Policies Practices, Tips, and Use-Cases to Limit New Data Privacy Risks

Data privacy and cybersecurity regulations like the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) have dramatically expanded consumer privacy rights—and there are more laws like them on the horizon. This regulatory increase has led to the need to establish better privacy measures across enterprises, which includes minimizing legal risks and exposure to data breaches.

Smart Data Retention Policies Practices, Tips, and Use-Cases to Limit New Data Privacy Risks
Smart Data Retention Policies Practices, Tips, and Use-Cases to Limit New Data Privacy Risks

One approach to solving this problem is through data minimization, which is sometimes referred to as defensible deletion.

Read on this article to learn:

  • Why data minimization is no longer just important but required.
  • A 3-phase approach to implementing minimization practices at your organization.
  • Best practices for maintaining an effective, defensible retention program.
  • Start reducing storage costs and minimizing legal risks associated with data retention

Content Summary

Introduction
Why is Data Minimization Important?
60 Days to Defensible Data Minimization
3-Phase Approach for Data Minimization in Practice
Best Practices for Implementing Data Minimization
A Data Minimization Case Study

Introduction

Data privacy and cybersecurity regulations like the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) have dramatically expanded consumer privacy rights—and there are more laws like them on the horizon. This regulatory increase has led to the need to establish better privacy measures across enterprises, which includes minimizing legal risks and exposure to data breaches.

One approach to solving this problem is through data minimization, which is sometimes referred to as defensible deletion. At its core, data minimization represents a comprehensive strategy to reduce the amount of data an organization holds, therefore lowering storage costs and minimizing legal risks associated with the preservation of electronically stored information (ESI). In recent years, the advent of new privacy laws has brought customer data into the spotlight, as these regulations have granted unprecedented consumer rights for access to their data.

Why is Data Minimization Important?

Upfront, it is cheap to store data. However, when the organization is involved in litigation or, worse yet, a regulatory agency investigation, all of that ESI is now subject to attorney review for responsive documents—an expensive proposition.

Put simply, data you don’t have can’t be breached, and you don’t have to produce it during litigation. When considering whether there’s an organizational need to pursue data minimization, ask two questions:

  1. Could you demand all documents on a specific person to expose your organization’s over-retention of personal data?
  2. Can your organization delete excess data that would help minimize exposure to judicial and regulatory sanctions, as well as a civil liability?

Leveraging proven retention methods and enforcement models is the most effective way to dispose of unnecessary records and data while meeting regulatory obligations to avoid unnecessary risks.

You can’t afford to over-retain data

The most egregious GDPR violations will hit companies that have over-retained data, which means that having enforced data retention and deletion program is no longer optional. Most companies vastly over-retain records and information, and an average of 75% of that information contains some form of personal or sensitive data.

GDPR Articles 5, 13 17, and 25 require companies that are subject to the law to dispose of any personal data once it has fulfilled its purpose unless there is a legal or regulatory obligation to retain the data longer. Penalties and fines for breaches so far have been severe, with British Airways facing a $230 million fine, and Marriott facing a $123 million fine.

60 Days to Defensible Data Minimization

Failure to identify, address, and minimize risks related to data minimization will be the driver of fines, oversight burdens, litigation, and settlement expenses. This makes the processes of developing an effective minimization process even more critical. The basic steps breakdown as follows:

  1. Develop & maintain a comprehensive data inventory: Identity what personal data exists, media types used, processing activities, data subjects, storage locations, and retention obligations.
  2. Leverage proven retention & disposal standards: Adopt retention standards that are industry-specific and processes that are effective and defensible.
  3. Communicate program expectations: Automate the process of distributing, tracking, and assessing employee compliance levels with verified and tracked responses.
  4. Dispose of over-retained data: Appropriately delete vast amounts of unnecessary and Redundantly-retained data across all media types and storage locations including email, unstructured shared drives, and paper.
  5. Establish ongoing controls: Leverage proven experience, standards, and technology to streamline your data minimization and retention efforts to ensure defensibility.

3-Phase Approach for Data Minimization in Practice

Applying data minimization principles in practice requires a three-phase approach: conducting a preliminary analysis, further data classification, and remediation of legacy data. Each step below is a closer, in-depth look at how to classify data and apply minimization practices.

Preliminary Analysis

The first phase is designed to give business unit leaders an idea of the data they have and the risks associated with it. Data analysts obtain the organization’s metadata and analyze the file path directory structure, then apply preliminary classifications for the data. The result is a baseline report that is used to compare future changes. Success in this phase is particularly important, given that subsequent phases will rely on the report’s findings.

Further Data Classification

This phase has an emphasis on additional data owner identification through business unit mappings, incorporating four tasks:

  • Business Unit Mapping. Ideally, you have an inventory of all of your enterprise data set up before you’re attempting to minimize it. Not only is it an important component of the CCPA and GDPR to know what data you have (and on whom), but you have to know where to find that data. When breaking the data down by the business unit, the question “Who has the most data?” is answered. A legal team member usually leads this effort, engaging the business unit (who knows what data they need) and adding another level of classification.
  • Retention Analysis. Here, records and information management professionals identify the maximum retention period for each business unit to identify data that is outside of that range. They then update the retention mappings onto a master table. In doing so, they follow existing retention policy or, if conflicts develop, create a new policy. Often, their biggest challenge is getting executive buy-in.
  • Hold Analysis. For this task, attorneys (inside or outside counsel) identify all business units currently subject to legal holds, then map those holds to the business units in a master hold table. Once a given hold is released, the ESI involved is now able to be deleted under the company’s retention policy.
  • Implementation. This involves developing an implementation plan, rather than “pushing the button.” The updated mappings for business units, retentions, and holds are analyzed and any needed adjustments are made. Disposition rules regarding inactive user accounts and data outside of retention/hold mapping are also finalized.

Remediating Legacy Data

This phase involves remediating legacy data identified in the prior phrases and developing a “go-forward” approach. Three tasks are implicated:

  • Validation. The goal of this task is to obtain consensus between business owners and counsel as to the proposed disposition of the legacy data—the sign-offs—and then record the particulars of the consensus for future reference.
  • Disposition. This is the point where someone in IT “pushes the button.” Typically, “deleted” data is quarantined for a certain period (24 hours to 6 months) before it is truly destroyed, as a backup.
  • Go-Forward Approach. Developing a “go-forward” approach translates into minimizing future problems with data proliferation. It involves documenting such processes in a disposition “playbook,” developing management metrics and data integrity standards, and then monitoring the organization’s information ecosystem for activities that put data out of compliance.

Best Practices for Implementing Data Minimization

Implementing a data minimization strategy means the process will be ongoing and organizations must be persistent in creating a data minimization strategy that is comprehensive and effective. There are two main best practices to follow:

Create information retention policies

This usually involves three main things:

  • Gaining organizational buy-in: To have organizational buy-in, starting from the top on down, requires having the right people at the table—representatives from IT, legal records and information management, and the respective business units.
  • Create the retention policies: Counsel crafts the policies in conjunction with upper management using the business judgment rule to determine what data must: 1. be kept permanently, 2. Has strategic value to the organization, or 3. Is subject to a legal hold. Considerations include multinational aspects (is data subject to the Foreign Corrupt Practices Act or GDPR), ephemeral data (text messages and apps like Snapchat), and social media. Organizations that are highly-regulated in other areas can expect elevated regulations here.
  • Communicate and enforce policies: This is the area where retention failures most often occur. The key to communicating and enforcing retention policies is to keep them simple and easy to understand by outside parties. Retention policies are part of the overall information governance plan.

Harmonize your retention, legal hold, and data minimization policies

The biggest challenge with any legal hold process is that, as more custodians are added, the efforts to administer the hold multiply. This is because a small percentage of the custodian base consumes a disproportionate amount of time and effort; they may be difficult to reach, not respond to hold notices or ask numerous questions about the hold. There are four steps in harmonizing all of the processes discussed:

  • Automate legal hold notifications: An automated system, as the name implies, tracks who’s acknowledged the hold and escalates the notice to a non-compliant custodian’s manager without intervention from the holding administrator. That system also tracks which custodians have been interviewed and has an interactive method for asking interview questions so administrators can identify other candidate custodians and where responsive ESI is located. That system should also offer a consolidated means to limit custodian notices to those who are on multiple holds, to avoid “notice fatigue.”
  • Link to the existing data infrastructure: Linking a legal hold system to existing infrastructure means linking to HR, asset management and matter management systems so that when an administrator creates or updates a hold, he/she has access to the most current information.
  • Minimize irrelevant ESI: After it’s been verified that the data is no longer under a legal hold and doesn’t serve a relevant business purpose, it’s time to delete it. If there’s a serious concern that the data might be relevant later, either don’t delete it or review the data that is “quarantined” before full deletion.
  • Document the process: Documentation is arguably the most important part of the process because if there’s no proof of the process, it’s more difficult to say why an individual did or did not do something. Courts look for a reasonable process, rather than a perfect one, and documentation goes a long way to demonstrating reasonableness.

A Data Minimization Case Study

The Client: A $15 billion distributor with 20,000 employees in more than 1,000 locations nationwide. The company serves customers in all 50 states and locations around the world.

The Challenge: The CISO’s challenge was twofold: cut down 53 TB of steadily growing data, and understand the relationship between their data and the data owners. At the same time, the GC desired the implementation of a data minimization policy to reduce litigation and cybersecurity risks. One of the greatest challenges the CISO and GC faced was knowing where to begin.

The Solution: Technology and tightly-structured processes with ongoing controls to meet obligations and reduce risks. Exterro provided deletion strategies for all media types, including email, unstructured data, and paper records to defensibly delete unnecessary records and information. We also provided all the necessary documentation to memorialize the data minimization logic and initial cleanup efforts.

ROI: After implementing the data minimization policy, the strategies significantly reduced volumes of data across the organization.

  • File Share: Eliminated 20 TB of the file share data immediately. The cost avoidance of containing the growth in their file share environment is $60,000 annually.
  • Email: Applying an email policy and auto-delete resulted in email storage volume decreasing 4% annually. Originally, the volume growth was increasing at 8% annually.
  • Paper: By applying retention rules to offsite paper, they immediately reduced off-site storage by 50%.
  • Backup Procedures: Reduced tape archive from 30,000 tapes to zero, and reduced backup retention from 90 days to 28 days. As a result, 300 TB of savings eliminated the need to acquire additional backup storage. The annualized cost reduction from these changes is $1.2 million.

Source: Exterro – E-Discovery & Information Governance Software