When it comes to data, resist your inner packrat

Credit to Author: Paul Gillin| Date: Fri, 22 Apr 2022 04:30:00 -0700

Human beings are natural pack rats, as evidenced by the 2.3 billion square feet of self-storage space that’s in use in the U.S. Fear of getting rid of stuff even has a name: disposophobia.

Keeping every pair of shoes your kids have ever worn isn’t a problem for anyone except those with whom you share living space.

But the same rules don’t apply to data.

All industries have records retention guidelines spelled out in compliance rules. They are usually strictly enforced for regulated companies, and firms that run afoul of them can be punished.

But even in non-regulated businesses, old records are a liability. One significant risk is that they can be discoverable in legal cases.

For example, a rule of thumb is to dispose of job interview records after one year. If a candidate sues your company claiming hiring discrimination and the notes from the interview are still on your hard drive, you could be effectively handing the complainant a stick to beat you with.

Then there are practical matters.

Keeping stuff on hand longer than is necessary can make it harder to find the information you need. It also complicates responding to important events like press and Freedom of Information inquiries and customer requests. One report estimated that as much as one-third of the data in an average company’s information stockpile is redundant, obsolete, or trivial (ROT).

Comingling old records with new ones can create confusion about which information is accurate. A 2019 survey of 1,500 information workers by M-Files found that 46% said it’s challenging and time-consuming to find documents they need. And 36% said it’s challenging to find the most recent version of a document most or all of the time.

And at a time when data privacy regulations are multiplying like kudzu, any personally identifiable data you keep on your computer about customers could be a multi-million-dollar liability for the entire business.

Computers encourage information hoarding. Storage is so cheap that it’s easier to keep information than to throw it away.

While some enterprise content management systems can automatically dispose of data beyond a specific date, the time needed to configure them can be onerous. There’s also almost no automated records destruction software for PCs.

Then there’s the problem of finding all the information that should be subject to retention rules.

Data stored in disparate silos can be hard to find, and many companies don’t have the software needed to tag and apply automatic deletion rules to the data they know about.

“There often isn’t an easy way to connect the retention rule to a piece of data sitting in a structured database,” said Sue Trombley, Managing Director of Thought Leadership at records management giant Iron Mountain. “But as the age or value of information declines over time, its risk grows. If you’re sitting on it without proper controls, you could be in trouble.”

Implementing a data retention schedule across an enterprise can also be daunting.

A bank, for example, may have thousands of record types for such things as customer accounts, various loan documents, anti-money laundering records, and deposit receipts. Moreover, each may be subject to local, state, and national regulations. And regulations change all the time.

Once a schedule is in place, there have to be rules to enforce it, but success is sporadic.

A 2020 Deloitte survey found that less than half of companies have a disciplined schedule for destroying old data, and 35% leave the task up to business process owners, who are the least well-equipped to do so thoroughly.

It’s beyond the scope of any one person or business unit to create a disciplined records retention policy. Still, you can advocate with your legal department and the IT organization to put it on their agenda.

There are also things individuals can do to protect themselves.

If you work with sensitive or customer data, ask your legal department for guidance on the timeframe to keep it.

Your IT organization should advise you on how to destroy old records (Hint: deleting them from your hard drive actually removes very little of the information). Better yet, IT can engage a vendor that can destroy data thoroughly and document its destruction.

Disposophobia has no place in the office. When it comes to records management, less is more.

Next Read This:

Record Retention Policy (With Template and Sample)

Records Retention Schedule Fundamentals

Data Retention Best Practices in a Time of Data Privacy Laws

Data Retention Policy: What Is It and How to Build One

The 7 deadly sins of records retention

 

http://www.computerworld.com/category/security/index.rss