Should it stay or should it go? The data retention clash for data managers
As privacy regulations around the world tighten (for example with the EU GDPR, California CPA, India’s PDPB, and Brazil’s LGPD), an increasing number of high-profile data privacy breaches have been hitting the headlines around the world. Fines for British Airways and Google of £183 million and €50 million respectively have been topped by Facebook’s £4 billion settlement with the Federal Trade Commission relating to the Cambridge Analytica scandal. Even Brexit politics has been in on the act, with the UK Vote Leave campaign being fined £40,000 in for sending unsolicited text messages. DLA Piper estimates that there were more than 59,000 breaches within the EU during the period June 2018 to February 2019.
Whilst media attention, unsurprisingly, centres on the large fines being levied against social media and public cloud enterprises for high profile data privacy breaches, other interesting cases are coming to light, highlighting the broader data management challenges at play. For example, the Danish data protection authority fined the furniture company IDDesign DKK 1.5 million for deficiencies in their data deletion processes (i.e. storing data without having a valid basis to do so), demonstrating that authorities are not just looking at the retrospective fines once data has been leaked, but are additionally starting to look at the policies and procedures companies have in place to manage data retention more broadly. Crucially, this includes enforcement action against firms that hold data beyond its retention period, regardless of whether there is a breach or not.
As a data owner or compliance manager, it is necessary to walk a tightrope between over-retention of data (risking data protection fines) and under-retention (leading to legal and compliance issues going back over 15 years to cases such as Zubulake vs. UBS Warburg). It really is a case of needing to understand, for any data, should it stay, or should it go? It’s not acceptable to just assume, as the Clash would surmise, for data to “be here ‘til the end of time”.
Managing data through its full lifecycle – including the ability to defensibly dispose of data – means knowing when its retention period has expired, or if it has an exceptional requirement to be preserved beyond this period, due to a legal hold for example. Unless the data can be identified, tagged, immutably preserved and linked to any active legal holds, legal and compliance teams will not allow the disposal of any data. This leads to the analysis-paralysis problem many organisations have now encountered with data disposal, paying third parties such as Iron Mountain increasing amounts year-on-year to sit on orphaned data tapes and discs more than 20 years’ old and with no plan to resolve the situation.
Citihub Digital has helped clients define and execute defensible disposal programmes, working across legal, records management, eDiscovery, archiving and compliance departments to achieve data deletions as a BAU process, rather than exceptional approvals executed only to achieve one-time compliance for major projects of work. Our framework covers the end-to-end business and technology processes required to achieve a fully compliant data retention and disposition position.
Managing data through its full lifecycle – including the ability to defensibly dispose of data – means knowing when its retention period has expired, or if it has an exceptional requirement to be preserved beyond this period, due to a legal hold for example.
NYU partnered with Citihub to offer a course on public cloud security technologies
Citihub was recently added as an industry partner to New York University’s (NYU Tandon) Cyber Security program. Exclusive to NYU Cyber...
Ian Tivey & Jim Oulton Named Technical Directors
Ian Tivey and Jim Oulton have been promoted to Technical Directors, a role reserved for senior leaders in Citihub who provide...
In the press
Using a ‘Three Lines of Defense’ Program to Balance Development Stakeholder Needs
Using the NIST three layers of defence as a framework, Citihub’s Glen Notman outlines how to leverage agile development capabilities and underpin them...
In the press
The Balancing Act
In this podcast, we will go into the details of how the “technical” automation-for-speed perspective is shifting to a “business-centric” perspective...
Life (and work) in the time of Corona
Less than two months after starting his job at Citihub, Senior Consultant Luis Carrazana, together with the rest of New York,...
In the press
Role of Security in a Digital First Enterprise
Join Citihub’s Glen Notman as he injects practical insights on how to enable security practices in a digital enterprise.
In the press
Compliance Challenges in a Lockdown World
The ongoing coronavirus crisis has changed business norms around the world, but as organisations struggle to come to terms with large-scale...
In the press
Institutionalizing DevSecOps in the Large Enterprise
Citihub’s Chris Zanelli, joined by several industry peers, will discuss topics across DevOps & DevSecOps, Enterprise Compliance as Code, Cloud Compliance...
Military Veterans are Welcome at Citihub Digital
This Memorial Day, when the rest of the United States of America will pay tribute to the military personnel who have...