Power and Responsibility: What are you doing with your data?
“With great power comes great responsibility.” Although originally articulated by Voltaire, important figures ranging from Winston Churchill to Spiderman’s Uncle Ben have used this phrase. And never before has it been truer. With the ever increasing amount of data held in corporate repositories, the associated power—and responsibility—that comes with managing and controlling such information has never been greater.
Most recently, we have seen the EU strike down Safe Harbor provisions and replace them with more stringent requirements under Privacy Shield. In the next few months, they will implement their General Data Protection Regulations (GDPR). Even so, the EU is not the only governing body embracing stricter privacy policies. The APEC Privacy Framework was updated in 2017, and US organizations are now witnessing the implementation of stricter privacy requirements by federal agencies and state governments.
Data, data, and more data.
Given the sheer volume of information being created on a daily basis, organizations face a steep challenge. In order to comply with these requirements and efficiently manage data, IT departments are seeking alternative solutions. They are seeking less risky and expensive alternatives to managing the wealth of information contained in organizational data stores. In response, we have seen a tremendous shift to cloud-hosted solutions for email, working files, and almost every other data component in the organization. At first blush, this may seem like a sufficient solution and lead to a short-term budget reduction. But such a change may also bear unintended consequences such as an increase in risk and an over-complicated workflow.
Too often, these decisions are made in haste without due consideration given to the root of the problem. In regards to this data dilemma, the issue is not data storage; it’s data volume. Too much data which bears no business value—employee personal communications or vacation photos—or which has passed its useful life is retained, convoluting the data management process and obscuring more logical solutions.
Merely moving this superfluous data cannot provide sufficient compliance or information management capabilities. Instead, it exacerbates the issues surrounding the handling of eDiscovery requests or SARs under GDPR. Additionally, it inhibits the organization’s ability to repurpose and reuse valuable business content. Maintaining data repositories cluttered with ROT (redundant, outdated, and trivial information) can easily disrupt your ability to find important information—whether for business or regulatory purposes. Further, and perhaps even more importantly, these unwieldy stores can increase risk merely because they contain the information in the first place.
Risk Reduction
With such a far-reaching issue and constantly changing privacy policies, how can you keep your organization from becoming a target? In my mind, the only effective means of reducing risk when managing data is to ensure defensible deletion policies, and processes. While this may seem obvious, organizations too often sacrifice true defensibility for inexpensive—and insufficient—storage solutions. However, the only truly defensible solution is a unified approach for managing information throughout its lifecycle… and purging the rest.
Whether subject to GDPR, APAC principles, or any number of other state-specific or federal regulations, remember this: if you don’t have a file, you don’t have to manage it. And more importantly, no one can get ahold of it in the event of a security breach or otherwise.