Data retention: balancing privacy with opportunity

For modern organizations, data represents a crucial element of a business’ operations. While data can play an important role in informing strategic decisions and keeping you aware of changes or trends happening within your business, it doesn't come without risks.

To mitigate the risks of a potential data breach, most organizations have proactive data minimization processes in place, which are designed to ensure data is only kept as long as it needs to be. But, not all data is appropriate for disposal – some must be kept for a specified retention period.

In this article, we’ll explore the risks of retaining too much data, methods for protecting the data you keep, and how a platform like RecordPoint can help you keep data safe throughout its lifecycle.

Why retain data

Data retention refers to the practice of storing and maintaining data for a certain length of time (the "data retention period"), according to data privacy and data protection laws, as well as business requirements or other needs. This practice is essential for businesses and organizations as it allows them to analyze past information, track trends, make informed decisions, and comply with legal requirements.

Whether it’s part of a legal hold or audit process, or simply needs to be retained for compliance or operational purposes, some data needs to stick around. However, data retention raises concerns about privacy and security.

The risks of over-retention

Retaining too much data carries a variety of risks, from financial, to reputational, to regulatory.

Overspending on storage costs

When they retain more data than they need to, organizations are stuck paying for excess data storage, as well as related costs like data egress, that they simply don’t need, often catching the eye of executives and board members who aren’t happy with wasted spending.

Compliance risks

Today, most of the world’s population is covered by privacy regulation in some form or another: 137 of 194 countries currently have active privacy legislation in place to protect the sensitive data of citizens or consumers.

Sensitive categories of data, such as health information, financial records, and personal identifiers like Social Security Numbers (SSNs), present unique challenges when it comes to data retention. Balancing the need for privacy with the potential opportunities that come from analyzing and utilizing this data is a delicate task that requires careful consideration.

Most regulations across the globe specifically protect consumers from over-retention of their sensitive personal information. So, if they’re caught holding customer data they should no longer have – even if no breach has occurred – the organization holding the data could be penalized.

• GDPR data retention – Europe's data privacy law doesn’t carry specific legal requirements regarding how long data must be retained, only that “personal data must be kept no longer than necessary” and that organizations must establish and document their data retention policies based on the specific purpose of the data and any other legal requirements. Penalties for non-compliance with regulatory requirements can be as high as €20 million or 4% of annual global turnover.

• Health Insurance Portability and Accountability Act (HIPAA) data retention – Health information is one of the most sensitive categories of data, as it can reveal intimate details about an individual's physical and mental wellbeing. The Health Insurance Portability and Accountability Act states that patient data must be held for six years, and then managed according to local regulations. Civil penalties for breaking HIPAA are enforced in four tiers, based on severity, and can reach up to $1.5 million in cases of willful neglect.

• CCPA/CPRA data retention – Though the California privacy laws also don't specify specific retention requirements, the laws do mandate data minimization, and require businesses to limit the collection, use, retention, and sharing of personal data. In addition, CPRA requires businesses to disclose the length of time they intend to keep specific types of data within their privacy policies. Those in violation can face penalties of up to $7,500 per violation.

Cybersecurity and data exposure risk

If the worst does happen and a data breach hits your organization, the severity of the attack will be directly tied to the amount of sensitive data that falls into the wrong hands. The more sensitive data you have, the more lucrative you become to cybercriminals. Organizations that do not follow data minimization principles – and that do not have appropriate data retention policies in place – will feel the effects of a data breach more severely than companies that do—as will their customers.

Skip to the next section to explore some notable cases of over-retention worsening the effects of a breach.

Inefficient operations

While not as consequential as the other risks of over-retention, a lack of operational efficiency in data management can slow your whole operation down. With cluttered databases and disparate data sources, usually full of unstructured data, it can be difficult for employees to know what data lives where-- let alone what must be protected or disposed of.

Disposing of redundant, obsolete, or trivial (ROT) data can help mitigate the risks associated with over-retention. ROT data refers to data that is no longer useful or relevant to the organization. It includes outdated records, duplicate files, and irrelevant documents that consume storage space and increase the chances and impact of a data breach.

Notable data breaches involving over-retention

Several high-profile data breaches involving over-retention have occurred in recent years, putting privacy and security at the forefront of consumers’ minds, and in some cases increasing public awareness of issues related to data retention.

• Australian non-bank lender Latitude Financial suffered a major breach in 2023, which affected around 14 million Australians. At the time, it was the largest data breach in Australian history. The data accessed dated back to 2005, and reflected the information of more than 14 million people, though the lender had just 3 million customers at the time of the breach. So far, Latitude has had to pay out an AU$1.55 million infringement notice to the Australian Communications and Media Authority (ACMA), while further penalties are expected to come, pending an Office of the Australian Information Commissioner (OAIC) investigation.
• US Credit reporting agency Equifax suffered one of the largest data breaches ever in 2017, which impacted more than 147 million people, more than 40% of the US population. The attack has been widely attributed to a combination of factors, though the most significant was the existence of a known vulnerability in a web portal run by the company. After gaining access to internal systems, the attackers stole more than a terabyte of data, which held large volumes of PII and PCI.
  
  According to Equifax’s own Global Retention Policy, much of the data stolen should have been disposed of after being retained for the appropriate data retention period. So, while the volume of data retained certainly didn’t cause the attack, it certainly sweetened the deal for the Chinese cybercriminals allegedly behind it. Equifax ultimately agreed to a $425 million+ settlement to affected parties.

Both of these cases serve as stark reminders of what the worst-case scenario can look like when it comes to data management, and underscore how over-retention of customer data can exacerbate an already problematic situation.

Calculate the cost of a data breach – See how much a breach could cost your organization and explore how the costs differ with the number of records exposed.

Retaining necessary data with minimal risk

While the risks of over-retention are significant, the reality is that some data must be retained to adhere both to effective data governance policies and to maintain regulatory compliance. There are also cases where an organization might need to retain data for specific purposes, including legal retention requirements, and operational or strategic needs.

Striking the balance between removing the data you don’t need, and protecting what you do is more straightforward than you might think. Here are our top strategies for finding that balance:

Get to know your sensitive data

Using a comprehensive data discovery strategy, create an inventory of your full data estate, across all your data sources. Once you have a clear idea of the data you hold, the next stage is a full data classification process. Once you have classified your data, you can understand how much of it is sensitive data, such as personally identifiable information (PII) or payment card information (PCI).

After this process, you should have a clear view of how much sensitive data you have, where it’s stored, who can access it, and how long you’ll need to keep it around. Combined with an understanding of relevant regulations and laws, establishing data retention policies should be much more straightforward.

Protect the sensitive data you retain

Once you know the what and where of your sensitive data, you can get to work protecting it. Start by implementing access controls to limit which employees can access sensitive information, providing another layer of data protection from would-be attackers, who seek to hijack employees' accounts to gain acess to data. Use trend data to uncover changes in your data, improving your ability to uncover suspicious activity.

Dispose of data as soon as it’s no longer needed

Once a given piece of data reaches the end of its retention period, it must be disposed of. Every piece of data you dispose of can help keep storage costs down, limit the complexity of data management in your organization, and reduce the blast radius in the event of a data breach or ransomware attack. Avoid the mindset of retaining data “just in case” it may be useful down the line: it’s almost never worth the risk. Instead, create a data retention policy and prioritize data minimization principles as an organization-wide effort to improve data security.

Eliminate human error

Even the most detail-oriented human will make mistakes – and when it comes to privacy regulations, even the smallest mistake can have significant consequences. Instead of relying on human effort to action your data retention policy, automate the processes outlined above to ensure absolute adherence to retention policies and schedules, allowing you to focus on what matters most to your business while maintaining confidence in your regulatory compliance and risk mitigation practices.

The RecordPoint solution

Responsibly managing data at scale can be a complex task, so we built RecordPoint to make it easier. Our manage-in-place platform helps your team manage retained data better and protect it more effectively. Here’s how RecordPoint can help set your organization up for success:

Step 1: Create an exhaustive data inventory

Automated data discovery tools help you create a comprehensive data inventory using our flexible connector framework, allowing you to integrate with any data source. AI-powered auto-classification instantly identifies the location and contents of sensitive data pieces.

Step 2: Classify your data, remove the ROT

Improve the way new data is classified using custom rules or machine learning models securely trained on your own data. Automatically remove ROT for proactive disposal and deletion and enjoy full visibility over every piece of data.

Step 3: Apply custom data retention schedules

Create and apply custom data retention schedules, automating the process of data minimization. Find trends and disruptions to your data with custom or pre-built reporting dashboards. Take compliance obligations from headache to hands-free with proactive, automated data management.

By leveraging the strategies we’ve discussed today, along with the support of a partner like RecordPoint, your organization can rest assured it’s minimizing its data risks, keeping costs low, and only keeping what has to be kept.