Data Retention: balancing privacy with opportunity

When managing large volumes of data, minimization is crucial. But what about the data that needs to be retained? We explore why data might need to be kept, the risks of over-retention, and steps for ensuring the data you do keep is secure.

Belinda Walsh

Written by

Belinda Walsh

Reviewed by

Share on Social Media
July 2, 2024
Data Retention: balancing privacy with opportunity

Finding it hard to keep up with this fast-paced industry?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

For modern organizations, data represents a crucial element of a business’ operations. While data can play an important role in informing strategic decisions and keeping you aware of changes or trends happening within your business, it doesn't come without risks. 

To mitigate the risks of a potential data breach, most organizations have proactive data minimization processes in place, which are designed to ensure data is only kept as long as it needs to be. But not all data is appropriate for disposal – some must be retained for a specified period. Whether it’s part of a legal hold or audit process, or simply needs to be retained for compliance or operational purposes, there’s some data that needs to stick around.  

In this article, we’ll explore the risks of retaining too much data, methods for protecting the data you do keep, and how a platform like RecordPoint can help you keep data safe.  

The risks of over-retention 

Retaining too much data carries a variety of risks, from financial, to reputational, to regulatory.

Disposing of redundant, obsolete, or trivial (ROT) data can help mitigate the risks associated with over-retention. ROT data refers to the information that is no longer useful or relevant to the organization. It includes outdated records, duplicate files, and irrelevant documents that consume storage space and increase the chances of a data breach.

Overspending on storage costs

When they retain more data than they need to, organizations are stuck paying for excess data storage they simply don’t need, often catching the eye of executives and board members who aren’t happy with wasted spending.  

Compliance risks

Today, most of the world’s population is covered by privacy regulation in some form or another: 137 of 194 countries currently have active privacy legislation in place. Most regulations across the globe specifically protect consumers from over-retention of their personal information. So, if they’re caught holding customer data they should no longer have – even if no breach has occurred – the organization holding the data could be penalized.  

  • GDPR data retention – Europe's data privacy law doesn’t carry specific legal requirements regarding how long data must be retained, only that “personal data must be kept no longer than necessary” and that organizations must establish and document their data retention policies based on the specific purpose of the data and any other legal requirements. Penalties for non-compliance with regulatory requirements can be as high as €20 million or 4% of annual global turnover. 
  • HIPPA data retention – The regulation states that patient data must be held for six years, then managed according to local regulations. Civil penalties for breaking HIPPA laws are enforced in four tiers, based on severity, and can reach up to $1.5 million in cases of willful neglect. 
  • CCPA/CPRA data retention – Though the California laws also don't specify specific retention requirements, the laws do mandate data minimization, and require businesses to limit the collection, use, retention and sharing of personal data. In addition, CPRA requires businesses to disclose the length of time they intend to keep specific types of data within their privacy policies. Those in violation can face penalties up to $7,500 per violation.

Exposure risk

If the worst does happen and a data breach hits your organization, the severity of the attack will be directly tied to the amount of data the attackers can access. The more data you have, the more lucrative you become to cybercriminals. Organizations that do not follow data minimization principles – and that do not have data retention policies in place – will feel the effects of a data breach more severely than companies that do—as will their customers. Skip to the next section to explore some notable cases of over-retention worsening the effects of a breach.  

Inefficient operations

While not as consequential as the other risks of over-retention, a lack of operational efficiency in data management can slow your whole operation down. With cluttered databases and disparate data sources, usually full of unstructured data, it can be difficult for employees to know what data lives where, let alone what must be protected or disposed of.  

Notable Cases of Over-Retention 

Several high-profile breaches have occurred in recent years, putting privacy at the forefront of consumers’ minds, and in some cases increasing public awareness of issues related to data retention.  

  • Australian non-bank lender Latitude Financial suffered a major breach in 2023, which affected around 14 million Australians. At the time, it was the largest data breach in Australian history. The data accessed dated back to 2005, and reflected the information of more than 14 million people, though the lender just 3 million customers. So far, Latitude has had to pay out an AU$1.55 million infringement notice to the Australian Communications and Media Authority (ACMA), while further penalties are expected to come, pending an Office of the Australian Information Commissioner (OAIC) investigation.  
  • US Credit reporting agency Equifax suffered one of the largest data breaches ever in 2017, which impacted more than 147 million people, more than 40% of the US population. The attack has been widely attributed to a combination of factors, though the most significant was the existence of a known vulnerability in a web portal run by the company. After gaining entry into internal systems, the attackers stole more than a terabyte of data, which held large volumes of PII and PCI.  

    According to Equifax’s own Global Retention Policy, much of the data stolen should have been disposed of after being retained for the appropriate time period. So, while the volume of data retained certainly didn’t cause the attack, it certainly sweetened the deal for the Chinese cybercriminals allegedly behind it. Equifax ultimately agreed to a $425 million+ settlement to affected parties.  

Both of these cases serve as stark reminders of what the worst-case scenario can look like when it comes to data management, and underscore how over-retention can exacerbate an already problematic situation.  

Calculate the cost of a data breach – See how much a breach could cost your organization and explore how the costs differ with the number of records exposed.  

Retaining necessary data with minimal risk  

While the risks of over-retention are significant, the reality is that some data must be retained to adhere both to effective data governance policies, and to maintain regulatory compliance. There are also reasons an organization might need to retain data for their own purposes, including legal retention requirements, operational, or strategic needs.  

Striking the balance between reducing what you don’t need and protecting what you do is more straightforward than you might think. Here are our top strategies for finding that balance:

Get to know your sensitive data

Using a comprehensive data discovery strategy, create an inventory of your full data estate. After this process, you should have a clear view of how much sensitive data you have, where it’s stored, who can access it, and how long you’ll need to keep it around.  

Protect the sensitive data you retain

Once you know the what and where of your sensitive data, you can get to work protecting it. Start by implementing access controls to limit which employees can access sensitive information, providing another layer of protection from would-be attackers. Use trend data to uncover changes in your data, improving your ability to uncover suspicious activity.  

Dispose of data as soon as it’s no longer needed

Every piece of data you dispose of can help keep storage costs down and limit the complexity of data management in your organization. Avoid the mindset of saving data “just in case” it may be useful down the line: it’s almost never worth the risk. Instead, create a data retention policy and prioritize data minimization principles as an organization-wide effort to improve data security.  

Eliminate human error

Even the most detail-oriented human will make mistakes – and when it comes to privacy regulations, even the smallest mistake can have significant consequences. Instead of relying on human effort to action your data retention policy, automate the processes outlined above to ensure absolute adherence to policies and schedules, allowing you to focus on what matters most to your business while maintaining confidence in your regulatory compliance and risk mitigation practices.  

The RecordPoint solution  

Responsibly managing data at scale can be a complex task, so we built RecordPoint to make it easier. Our manage-in-place platform helps your team manage retained data better and protect it more effectively. Here’s how RecordPoint can help set your organization up for success:  

Step 1:

Automated data discovery tools help you create a comprehensive data inventory using our flexible connector framework, allowing you to integrate with any data source. AI-powered auto-classification instantly identifies the location and contents of sensitive data pieces. 

Step 2:

Improve the way new data is classified using custom rules or machine learning models securely trained on your own data. Automatically remove ROT for proactive minimization and enjoy full visibility over every piece of data.  

Step 3:

Create and apply custom retention schedules, automating the process of data minimization. Find trends and disruptions to your data with custom or pre-built reporting dashboards. Take compliance obligations from headache to hands-free with proactive, automated data management.  

By leveraging the strategies we’ve discussed today, along with the support of a partner like RecordPoint, your organization can rest assured it’s minimizing its data risks, keeping costs low, and only keeping what has to be kept. 

Discover Connectors

View our expanded range of available Connectors, including popular SaaS platforms, such as Salesforce, Workday, Zendesk, SAP, and many more.

Explore the platform

Remove data you don't need

Avoid risk, manage data more easily, and cut costs by removing unnecessary data with RecordPoint Data Minimization.

Learn More
Share on Social Media

Assure your customers their data is safe with you

Protect your customers and your business with
the Data Trust Platform.