Data wipe.

 

For the most part, corporations across various industries have been able to figure out how they can defensively dispose of the data held in their offices. Generally, “you know what your legal and regulatory obligations are for a certain set of information, and you know what your legal hold obligations are,” says Jason Stearns, director of the legal and compliance group at BlackRock.

But the way such criteria is applied will likely change in the near future.  At the “Making Disposition Defensible: The Tools You Need” Legalweek 2018 session, Stearns joined other information governance professionals in discussing how the European Union's (EU) General Protection Data Regulation (GDPR) will turn defensible disposition considerations on its head.

“I like to think that the whole game is changing,” said Richard Kessler, director of cybersecurity services and strategy at KPMG, noting that the GDPR mandates that companies can only store the personally identifiable information (PII) of EU citizens for as long as it satisfies the primary business purposes for which it was collected.

Kessler added, “For years we were focused [on data] at the end of its lifecycle: What is preventing us from disposing of it? What is occurring now [with the GDPR] is changing the focus to the front of the lifecycle… it really pushes the thoughts around disposition, in particular with the right to erasure, to the very beginning of the lifecycle when data is first created or received.”

John Isaza, partner at law firm Rimon PC, added that among his clients “personal data is, by far, their number one concern” because of the GDPR.

Indeed, the EU regulation is already spurring some information governance consultants to advise their clients to take a more proactive approach to data deletion. “Now, I can go to my business group and say, 'Unless you can tell me why you need this data, if it has PII in it,” it has to be erased, said Stearns. “I can speak to deleting tens of thousands of backup tapes with that approach alone.”

But erasing PII data that is no longer needed for a business purpose isn't always going to be possible with such quick and broad strokes. Kessler noted that for some companies, it will require “micro-surgery” in finding “where is that PPI information is, and where it has gone throughout the enterprise.”

To be sure, companies may not always be willing to delete the PII data they collect and store once it is no longer needed for its primary business function. “Those doing the data analytics may say, 'Hey we want to keep this data round, we want to see trends over years' or something like that,” Kessler said.

Under the GDPR, however, companies will likely need to get consent from EU citizens whose PII they want to keep and analyze. But Stearns believes that some companies will lean on data analytics as a reason to hold off on erasing any data entirely.

“Big data, artificial intelligence, analytics—these keep being reasons used to do nothing,” he said, adding “you don't need to keep every data set” for analytics.

“Do I need three copies to run data analytics? No… I also don't need physical files in the warehouse that are useless in a data analytics scenario.”