The price of data storage may be cheap, however the actual cost of keeping information with no business value (redundant, obsolete and trivial data “ROT”) is staggering. The average cost of a data breach in the United States in 2022 was $9.44 million[1], and many organizations are using manual efforts for information requests related to data subject access requests, audits, internal investigations, regulatory compliance, and eDiscovery for litigation. With ROT accounting for approximately 60%[2] of organizations’ data footprint, it is time to stop hoarding and begin disposing – defensibly.
Privacy regulations have set a precedent for taking a minimalist approach to information governance. GDPR Article 5(1)(c)[3] defines data minimization for the processing of personal data as being “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” Similarly, CCPA 1798.100(c)[4] defines organizations’ data minimization requirements as, “[a] business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” With Texas being the tenth state to pass a comprehensive data privacy law[5], compliance has moved its way up the priority list and more mature information governance practices should follow suit. Why only apply data minimization principals to personal identifiable information “PII”, when they can be applied to all information?
Imagine showing up to work tomorrow with 60% less information (or clutter), without losing documents containing business value, and the remaining information properly organized, classified, and secured. This is an impossible feat to accomplish in one day, however, the end goal is achievable. With formal training, employee productivity improves greatly, and responses to information requests are properly tracked and completed in a fraction of the time. Key business decisions are expedited with the availability of accurate information, and organizational risk is reduced with sensitive and personal information classified and secured. Legal and compliance costs are decreased with the ability to quickly and surgically identify and preserve potentially relevant documents, lessening the burden from review and production. The positive impact from ROT removal and information governance maturity is realized throughout the organization. Can you imagine?
In summary, organizations can take a minimalist approach to information governance by adding retention policy compliance and defensible disposition to their data minimization efforts. To execute on this transformation, organizations should build a cross-functional and collaborative information governance committee, creating a roadmap with priorities to get started. Achieving the desired results will be difficult, requiring executive sponsorship, dedication, expertise, time, and patience – in the words of Epicurus, “The greater the difficulty, the more the glory in surmounting it.”
Virtual Lunch: Avoiding Toxic Data Series.
Watch the Highlights Video!
Sources:
[1] https://www.ibm.com/downloads/cas/3R8N1DZJ
[2] https://www.globenewswire.com/news-release/2018/11/15/1652360/0/en/CGOC-Survey-Shows-Enterprises-Still-Face-High-Risk-from-Immature-Information-Governance-Processes.html
[3] https://gdpr-info.eu/art-5-gdpr/
[4] https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
[5] https://iapp.org/news/a/texas-latest-to-add-comprehensive-state-privacy-law/#:~:text=Greg%20Abbott%2C%20R%2DTexas.,date%20of%201%20July%202024.
