Putting your data to work: the ultimate guide
Explore the guide
Data management: Fear or opportunity?
When it comes to data management, it’s tempting to adopt a fear-based approach. Every piece of customer or company data you hold costs money and represents risk. If you fail to secure your customer database, or properly manage access, or keep the data too long, it can be used against you. Either by a threat actor seeking a ransomware target, or by a regulatory body looking to fine offenders.
With more data being created every year–147 zettabytes of data will be created this year, according to some analysts–the risk is only going to increase. But so is the opportunity.
By adopting a proactive approach to managing your data, you can reduce the cost and the risk, while ensuring you get the most value out of your data. This guide is focused on helping you put your data to work and reducing the risk by:
- Managing all your data throughout its lifecycle
- Understanding the data you do have
- Managing retention and removing what you can,
- Managing access and security for what remains,
- And responding rapidly to a security incident.
Once you’ve done this, you can focus on increasing opportunities by migrating data from old platforms and applications, analyzing your data for informed business strategies, and getting your data AI-ready for use in large language models.
But first, let’s remind ourselves of the stakes.
Data privacy laws continue their ascent
Since the European Union’s 2016 passage of the General Data Protection Regulation (GDPR), jurisdictions all over the world have passed their own comprehensive data privacy legislation, each placing requirements on companies to know where their data is stored and understand what they hold. In Australia, long-awaited privacy legislation reforms have been brought forward to August. These reforms will likely include new maximum/minimum retention periods, a "fair and reasonable" test for the collection, use, and disclosure of personal info, a right to erasure (and de-index search results), and a right to sue for invasions of privacy. In the United States, while an effort to pass a federal privacy law is ongoing, 18 states have enacted their own privacy laws.
Unprecedented growth in data breaches and ransomware
2023 was a record-breaking year for ransomware, according to a report by security firm Mandiant. Victims paid more than US $1 billion to gangs, and there was a record volume of data posted to “shame sites”, used as part of extortion attempts. This report is in line with another from the Identity Theft Resource Center (ITRC), which showed breaches were up 78% from 2022, and up 72% from the previous record set in 2021.
Reducing your data risk
When it comes to data risk, there are a few main factors to consider: ensuring you are managing all your data, properly managing retention, minimizing your data (including retiring legacy applications), managing what remains to maximize security and privacy, and responding to security incidents. Let’s tackle each of these in turn.
Conquer data sprawl by finding your data wherever it lives
For most organizations, data sprawl is the norm. The rapid adoption of Software as a Service (SaaS) platforms and file shares means data is spread widely through the enterprise. Data is also portable by nature so it can make its way from one app to another with little effort—and little oversight.
One survey of 650 organizations found that 44% of organizations cannot maintain governance and automate policy controls around data, and 42% cannot enforce consistent security measures – a clear vulnerability.
For organizations concerned about their data governance posture, RecordPoint can help. RecordPoint can connect all the essential business systems and apps businesses rely on, allowing businesses to discover and easily manage their data in one central location.
Manage data retention and data minimization
Let’s face it, a lot of organizations hold onto data for too long, either because they forget they have it, or they believe they may need it in the future and are holding onto it “just in case”. They acquire data from customers or clients and then it sits in their data stores, inert, opaque, waiting to cause trouble.
Such an approach, commonly referred to as “data hoarding”, only increases your regulatory risk. Most jurisdictions with privacy regulations, such as the GDPR or the California Consumer Privacy Act (CCPA) mandate that data must not be kept for longer than is necessary for the purpose it was obtained. Over-retention will thus lead to regulatory and financial penalties, along with reputational damage.
As well as the regulatory risks that come from keeping data longer than necessary, there also comes a significant security risk.
The more data you hold, the bigger the impact of a data breach.
A recent data breach involving AT&T offers a good example. In March 2024, the US telecommunications company announced it had suffered a breach affecting 7.6 million current and 65.4 million former account holders, related to a dataset from 2019 or earlier.
And who could forget the case of Latitude Financial, the Australian financial services company that in 2023 experienced a data breach that impacted 14 million current and former customers? Some of the data accessed had been held (retained) for 18 years at the time of the attack. Latitude Financial now faces a class-action lawsuit from affected customers.
Australian insurer Medibank also suffered a data breach in 2022 that exposed the personal information of more than 9 million current and former customers. The Office of the Australian Information Commissioner has announced new legal action brought against Medibank, which carries a maximum theoretical penalty of an AU $21 trillion fine. Listen to our discussion of the case and its implications.
Remember, there’s is no exposure risk for data you don’t have.
Data hoarding has many other negative effects, including:
- Increased storage costs
- Decreased efficiency, as teams must search for relevant data in a much larger corpus, full of Redundant, Obsolete, and Trivial data (ROT)
- A greater likelihood that companies will hold onto outdated applications, which may be a security risk in themselves
For those who fear their organization may not have control over their data retention, RecordPoint helps by automating the retention and disposition process. RecordPoint offers a centralized, intelligent information governance solution that can automatically analyze and classify records, as well as mark files for retention, holds, and in-place data disposition.
For organizations looking to improve their regulatory and security posture, kicking their data hoarding habit is a great start. But what else should they focus on?
Customer story – Government agency replaces its outdated EDRMS to improve efficiency and lower costs
This Australian state government agency wanted to replace its aging EDRMS, OpenText Content Manager, with something more seamless to improve efficiency
The agency found the existing system difficult to maintain from a security perspective, requiring many technical support staff. Combined with a high total cost of ownership, and a lack of support for the policies and procedures required to guarantee compliance with the Public Records Act, a new solution was urgently needed.
While the leadership team decided to adopt SharePoint Online as a cloud-based solution, this formed only part of the solution. After a market evaluation in late 2019, RecordPoint emerged as the clear winner, providing a seamless interface and allowing the agency to meet the requirements of the Public Records Act.
Initially framed as a short-term solution, the agency gained such significant value that it has continued to renew the service and plans to do so even when the team has found a replacement full-time records manager.
Read the full story
Incident response and recovery
In the event of a data breach or security incident, organizations need information to respond effectively. One aspect of an effective response is a detailed data inventory that help security teams identify what data was compromised.
According to IBM’s 2023 Cost of a Data Breach report, it takes organizations an average of 277 days to identify and contain an active breach. Organizations that understand their data can reduce this time and reduce the impact on their customers.
Retire legacy applications
Old data keeps companies holding onto legacy applications—or obsolete apps which no longer receive updates and support—which are themselves a significant source of risk. Enterprises make extensive use of legacy applications, often because they want to retain the data they hold (“just in case” the data is needed). 80% of respondents to one survey reported they were running at least 25% of their business workloads and applications on-premises, with 52% running more than half of their workloads and applications on-premises.
Retiring these applications can be thought of as an example of reducing your risk, and an opportunity to reduce your ongoing costs.
For an example of what happens when that approach is followed, look at this year’s Microsoft hack, where the executive team of one of the world’s tech leaders was compromised thanks to an improperly configured test tenant account. For more on the case, read our coverage from the time. The lesson for all companies is simple: you need to get your legacy app risk under control by retiring these applications.
If the primary reason you’re keeping these legacy applications is to retain your data (i.e. you’re not using the applications to get work done), you need to do two things: assess whether you still need the data, and move it off to a new system, so you can turn off the old one.
RecordPoint allows organizations to retire legacy applications confidently. The platform enables you to understand your structured and unstructured data, and then move the data to be retained into the RecordPoint platform. Once this is done, you can retire the apps and remove the risk—and the ongoing costs associated with running these applications. Then, you can turn to the next task: managing access to the data you have left.
Apply data access controls
Data privacy laws require organizations to establish controls for who can access sensitive data, and such limits also help organizations to guard against phishing attacks and ransomware.
But establishing these controls is only possible when you understand the sensitive data you possess. As we’ve discussed, RecordPoint’s automated data classification helps you to separate the wheat from the chaff, remove data you don’t need, and then manage access for the sensitive data that remains.
Putting your data to work
Remember when we spoke about data as a risk and an opportunity? We’ve now arrived at the “opportunity” part of the equation. Let’s look at a few ways your data can help you grow your business.
Refining data policies
Once you have completed all the above risk reduction activities, you will have a lot more insight into your data, how it is used, and where procedures and controls need to be tightened up. You can use this to refine your policies to reduce this source of risk.
For example, through your work on understanding your data’s lifecycle, you may learn your team members are sharing documents containing customer information on Microsoft Teams, and you can establish policies to discourage this, and so take a high-leverage action to reduce risk.
Gain strategic insight
As we have seen, organizations are not struggling to collect data; they have more than they know what to do with. What they struggle with is using this data to form better strategies and make better business decisions. With the work you’ve just done on removing outdated applications and data, and managing access to what remains, you can now confidently use this data to grow your business.
Any business that wants to improve its revenue must analyze information from sales, customer support requests, and marketing campaign outcomes. While each of these sources of data are useful on their own, the real value comes when you can step back and see the bigger picture and evaluating all the data at once.
Business intelligence (BI) reporting allows you to identify and reduce risks, predict market shifts, and spot anomalies. RecordPoint’s deep reporting capabilities allow you to explore data in your preferred BI platform, including Power BI and Tableau. Data governance metrics allow you to understand where your data is held, view trends like unsafe data-sharing practices, and surface data to comply with Data Subject Access Requests (DSAR), or requests for data to be deleted.
Make decisions based on data, not your gut.
Get your data AI-ready
In 2024, generative AI has moved from the LinkedIn influencer post to the product roadmap. Generative AI platforms like large language models (LLMs) are being embedded in consumer operating systems, and organizations are focused on how they can provide a competitive advantage.
A whopping 99% of respondents in a survey from Elastic said generative AI would drive transformational change in their organization. In a slightly more sober report from Gartner, 29% of the 644 respondents from organizations in the U.S., Germany, and the U.K. said that they have deployed and are using generative AI, making generative AI the most frequently deployed AI solution.
But a GenAI solution like an LLM is only as good as the data you provide it, and you need to ensure this data is AI-ready. Remember: garbage in, garbage out. LLMs also have many security and privacy risks, so you need to handle sensitive data carefully. For any data store you want to use with an LLM, you need to ensure you have removed the ROT, the irrelevant data, and most importantly, any sensitive or confidential data.
Here again, RecordPoint can streamline the process by allowing you to identify and remove sensitive data from a dataset before you train an LLM on what remains.
Take action with RecordPoint
Whether you are focused on reducing risk or getting more from the data you hold, you cannot do it alone. If you’d like to investigate how RecordPoint can help, explore the platform now, or book a demo for a full walk-through.