Making the cut | KPMG | CA
collection of dots forming a vortex

Making the cut

Making the cut

The modern world is awash in data. Zettabytes of information are being produced every year and it's estimated this volume will rise to 55 zettabytes (for perspective, one zettabyte is equivalent to 44 trillion gigabytes) by 2020[1].

The escalating volume of data alone isn't the only problem; more so, it's the mounting costs and risks of securely managing that data that has many organizations re-examining what it actually possess (often in trust as a fiduciary of a client, employee or third party), what's worth keeping and what's only taking up space and potentially attracting liability. With only a fraction of data held by most organizations containing actual business, legal, or historical value, that's a lot of data to consider.

"There's so much data being collected, curated, and maintained by organizations these days that the computation power and labour needed to manage it in a manner that allows for its value to be leveraged is growing," says Nicole Godin, Director, Forensic Technology, KPMG in Canada,. "As a result of that, organizations are taking an honest look at what they actually need, what they actually possess, and what they can shed."

Surely, while the value of data cannot be disputed, the costs and risks of storing every piece of available data for an indefinite period of time cannot be dismissed. With larger volumes of data comes a greater likelihood of leakage or theft; and the over-retention of private or otherwise sensitive data can expose organizations to legal and reputational liabilities.

The case for defensible deletion

Whether used to inform business strategies, identify customer segments, or predict market trends, there's no denying that data is a critical enterprise asset. However, where it could once be argued that every byte counts, that is no longer the case if the risks of its maintenance exceeds its value to the organization.

To manage resources and mitigate risk, organizations must determine what information (e.g. operational, customer, vendor, etc.) is of actual value to their services, what information must be kept, which legislative and regulatory retention and legal preservation requirements are applicable, and what data can be permanently deleted without future repercussions.

Enter: defensible deletion, a process organizations are embracing in greater numbers as privacy laws, legal obligations, and consumer expectations around data collection evolve.

"There are a number of reasons why organizations are taking on this exercise, not the least of which being the total cost of retaining data is astronomical," says Godin, adding, "With so much information being collected and stored by companies, it's becoming increasingly difficult for business leaders to find the data they need when they need it. The price of deriving value from that data is only going up, as are the risks around keeping useless or sensitive data that is either inaccurate or outdated."

Moreover, she adds, reducing the volume of stored data makes sense from a security perspective: "The more content we have to manage, the more likely it's potential for leakage or become a target for malicious threats."

Storing value, deleting risk

Most organizations possess a subset of data that must be kept in a legal hold as per regulations and client commitments. Through defensible deletion, the aim is to both identify that data and implement controls to keep it secure, easily accessible, and protected from deletion. Doing so enables organizations to respond quickly to requests for that data in cases of litigation, investigation or audit, effectively insulating them from monetary fines and other repercussions.

"If an organization is called upon to produce a piece of evidence and they haven't gone through the process of defensible deletion, they're going to have a large volume of data to sift through in a short amount of time in order to locate what it is they actually need to produce from that large subset of data," says Godin. "That takes a significant amount of resources and effort to do especially if the organization is required to sift through multiple copies, paper versions, legacy systems, backups, archives, clouds, mobile devices, etc."

In the event organizations cannot present the requested data in a timely fashion or at all, courts may make an adverse inference that the data would have been favorable to the other party, or that evidence cannot be adduced on a particular topic.

Letting go

Data retention rules have existed for years. However, a growing concern around the protection of personal and highly sensitive information has spurred regulators to take a closer look at the controls and rules governing the retention, deletion, and reconstitution of this high-value data.

Therefore, between privacy legislation and stricter expectations around the handling of consumer data, it's understandable why the retention of personal information is becoming a liability for many clients who may be retaining those assets far longer than the use-case that consent was given for in the first case. That's why part of the defensible deletion process is classifying and disposing of personal information they either don't have consent to maintain or is no longer relevant and has become a liability in terms of over-retention.

Setting a defensible deletion strategy

Through a defensible deletion strategy, organizations can determine what data is of value and what cannot be destroyed. The details of that strategy may vary from one organization to the next based on a number of factors (e.g. industry, customer segments, regulatory obligations, etc.) but the fundamentals are the same.

​First and foremost, says Godin, organizations must have buy-in from all stakeholders if they hope to execute on their plans: "We all have a fear of getting rid of data, and that makes sense. We live in a knowledge economy where we've been reminded time and time again about the value of data, so getting passed the need to hold on to everything is the first major hurdle to this process."

After rallying support, the next step is determining the rightful owners of the data within an organization – be it consumers, vendors, technology, legal, risk management, third-party partners, or the organization itself.

"This can be a murky exercise to get through, but it's critical in building a strategy around what needs to be maintained and who needs to be involved in that part of the process," adds Godin, noting that identifying and implementing an accountability framework around the legitimate owners of data is equally important. "That's where one's legal compliance department can be an asset in affirming the legal risk appetite related to data retention requirements and needs for the organization."

Only when the strategy is set and roles defined can organizations move forward with the 'work' of data deletion. This entails using tools to separate data of legal, operational, or historical value from stored or backed up information that is inaccurate, dated, or non-essential.

"It's during this step organizations can leverage data mining tools and analytical programs to dive into an organization's data, profile all the subsets of information, and identify what can be disposed," explains Godin, adding, "It's also the point at which they can begin establishing proper controls to delete that same information moving forward, such as a records management programs that define specific rules around what needs to be kept and what can automatically be destroyed."

Data in the spotlight

​There's little debate that good, clean data is among the most valuable business asset. As more and more data becomes available, however, there must be discussions around which of that information a business must retain and which can be securely destroyed.

Ultimately, Godin concludes, "Many organizations have data they're collecting that they either don't need or don't know what to do with. That data is costing them money and opening them up to a number of risks. Therefore, as more and more data gets added to the pile, there's a strong case for drafting a defensible deletion strategy that will help to both free up resources and optimize the value of what they decide – and are required – to keep."

​[1] IDC's Data Age 2025 study, sponsored by Seagate, April 2017