Holding on to old data slows applications, increases storage costs and backup times, and dramatically increases the danger of attacks. A good data disposal policy can reclaim some of your budget and help you sleep better at night.
For the sake of argument, let's assume your company already has a data retention policy. If it doesn't, stop reading right now and make one. No one wants to be left in the lurch when auditors come calling or a client claims you didn't pay that invoice back in 2011.
But what about the other side? Is there such a thing as too much data?
Why You Need To Do It
According to the Compliance, Governance and Oversight Council, nearly three quarters of all data stored in an organization has no current business use. If that seems like a lot, consider the forms that data might take. The biggest and scariest culprit is email, which often contains sensitive personal and client information, as well as multiple versions of files forwarded as attachments. Email is a horrible storage and versioning system, but it's one of the most popular.
Then there's the problem of department-specific data silos, which often hold redundant records that can be orphaned. Imagine your HR, Marketing and legal departments each keep separate copies of employee records. For compliances's sake (or, more likely, because you never got around to integrating your systems), those records are all stored in separate systems. If HR terminates an employee but the information doesn't sync, you've just created orphans in the other system that may last forever.
On the other hand, maybe you've done it right. Your records share a common repository and each department has properly permissioned views.
You still might be in trouble.
HR might need to retain certain data after a termination, but retaining other sensitive information might actually be illegal. If you're in a highly regulated industry, you're probably aware of these restrictions. If you're not, you may not know about them until there's a lawsuit after a breach.
Don't forget about the storage issue. Slashing your storage by 50% to 75% would save a lot of cash. The CGOC estimates a savings of up to $50 million in some enterprises. In some highly virtualized enterprises, storage costs can account for as much as 40% of the total IT budget. Plus, everything – from record searches to backups – will run faster.
If you're still not sold, Ben Rothke's 2009 article, Why information Must Be Destroyed, remains valid and convincing.
You're on board. Less data equals the less risk carried, faster systems, and more money.
How Do You Get Started?
Create A Policy
This might sound obvious, but the first step toward disposing your data is to create a data disposal policy. It should mirror and integrate with your data retention policy, as well as any other physical destruction (e.g., shredding) policies you follow. You don't want anything falling through the cracks.
Don't try to make decisions on your own. Each department should have input, and the final policy should pass through legal and compliance reviews before landing on the CEO's desk. Everyone needs to be on board.
Assume The Worst
Try to minimize the amount of effort required by employees. For example, autoarchiving emails past an age threshold will point out inappropriate use pretty quickly. One CTO of a mid-sized firm remarked that when his company moved from POP to IMAP and began archiving older emails, his sales department panicked. "They'd been storing customer data in emails and spreadsheets instead of using our CRM system. We were storing sensitive data without gaining any value, and our sales reps weren't doing their jobs." There will always be room for human error, but prevention will ease the cleanup burden after the fact.
Consider The Hardware
Different types of data require different disposal methods. Medical records or confidential design documents may require physical destruction of a disk or a magnetic degaussing. Old tweets and press releases probably need only a simple overwrite. If you're still storing a mix of data on the same physical disks, this might be a good time to change that.
The disposal methods you choose will be based on your industry, so your Legal department is the ultimate authority, but you can start your research with the NIST's Guidelines for Media Sanitization.
Get Service Guarantees
This is a problem even the largest enterprises sometimes face. Much of your data is in the hands of third parties, and more will be shifting that way soon. It may be their cloud, but it's your data.
Send your disposal plan to your service providers and get a guarantee that they'll abide by it. This may add costs to your contract, but failing to do so makes the policy pointless. If your provider already specializes in government or industry compliance, this should be an easy talk to have. If its not, consider shopping around for new services.
Remember: It's A Process
You won't be able to do everything at once. Some parts of the policy may require more review than others. Some systems may require redesign. Get the low-lying fruit first.
If you're starting from scratch, even the first steps are steps in the right direction.