I recently had the pleasure of discussing information governance with Priya Keshav, CEO at Meru Data, on the company’s #SimplifyforSuccess podcast. Our conversation focused on the issue of data minimization, and many of the challenges our teams see clients face when working to dispose of legacy data and implement new retention and deletion programs.
As discussed during the podcast, it’s helpful for information governance professionals to look back in time a bit to understand the full scope of why data minimization has become so difficult. In the early 2000s, when e-discovery as we know it today first hit, the Zubulake v. UBS Warburg case in the United States District Court for the Southern District of New York shocked the corporate world with regard to data preservation requirements. In the wake of that matter, many organizations didn’t know what to preserve, so they began preserving everything.
This led to a massive “save everything” movement that persisted widely for more than a decade and is still practiced today at some large corporations. In the last few years, this practice has come into direct conflict with GDPR and other privacy regulations that specify organizations are only permitted to retain personal data to the extent and duration that it is reasonably necessary per regulatory, legal and business requirements. The end result for corporations has been the accumulation of a massive repository of legacy data co-mingled with personal data and new data—some of which must be defensibly disposed of to comply with data protection laws.
Priya and I talked through the important first step in addressing this issue: the development of new policies that define and determine what regulations the organization reports to and current legal hold obligations. These policies, and the steps that follow to execute them must address all data repositories, including legacy systems that have been sunset and backup tapes as well as modern data sources such as collaboration tools and cloud-based apps, in which sensitive data, personal information and records may be intertwined with communications and other files that aren’t governed by the preservation policy.
We agreed that the way the corporate data footprint has and is continuing to expand is creating tremendous challenges and grey area for information governance, and the implementation of data minimization in particular. Within large, multinational organizations or organizations with a large volume of legacy data, working through these challenges requires expertise across technical, legal and regulatory factors.
The podcast discussion also covered how data minimization intersects with information security and the increasing use of AI within corporations—as well as challenges emerging around data subject access requests and other data privacy requirements. The full conversation is available here.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.