We create more data today than ever before, at rates we could scarcely imagine just a few years ago, and we store that data on a wide variety of devices and media. This explosion has created a new set of risks to manage.
As well as the immediate storage challenge, companies have to deal with retention of the data. Decisions need to be made around what data should be kept, how long it should be retained, how it will be accessed and where it will be stored. These details contribute to the cost of separating the useful data from the useless data. And the challenges are exacerbated by the movement of staff who know where the crown jewels are kept but haven’t documented or shared that crucial information.
Decisions about data can’t be made in a vacuum by technologists. To set rules about what data is retained, engagement from the C-suite is required. First, data must be classified so the business knows what data it has. Then the IT team can inform business leaders of what data is stored and provide options on how it can be managed.
Data classification is extremely important. Companies need to understand what the data is. Is it files on file systems or data in applications? How is the data secured, and who can access it? Where is the data, and how big is it? Who created it, what applications did they use, and is it version-controlled? What are the costs associated with the data, and what value does it have? Can it or should it be deleted?
Answering these questions will help the business make smart decisions that can be supported with technology, to meet the needs of the enterprise while addressing risks. Data-based decisions can be made about what data needs to be retained, what can be deleted and what can be moved to less expensive types of storage.
Although regulatory obligations may dictate the retention of some data, such as medical and financial records or emails sent between specific people, other information can be deleted. While there may be a temptation to save everything, keep in mind data that is retained could be subpoenaed in legal proceedings.
Other data that should be considered for removal are old versions of files and programs. Developers often create several versions of an application, many of which don’t function correctly. Although it may make sense to hold these for a short time, there is little value in storing them indefinitely.
Similarly, draft versions of documents are good candidates for deletion. In fact, these can even be dangerous to retain, as they could reflect the evolution of a thought process, which could be used against you in legal proceedings.
Home directories from former employees also need to be considered for deletion. Although there may be cases where retention is reasonable, the contents may either be of no value or, potentially, hold sensitive data that is best deleted.
Once you understand exactly what data assets you have, you can then conduct a risk-based analysis of how to best manage those assets.
Another risk is the potential for data to be stored on media that is no longer readable. This can happen when the device for reading the data is no longer functional or supported, or if the media fails. Tape, optical media and disks can all fail over time, so the risk-based approach to data needs to take that into consideration.
For many companies, embarking on a risk-based data management journey can seem overwhelming. However, it doesn’t have to be an all-or-nothing project. The best place to start is with a decision to target one specific area. That might be a business unit, a cluster of data such as a file server or email, or an upcoming project where more storage will be required.
This can act as a proof of concept and opportunity to test your approach to creating a risk-based data lifecycle. It can also further support an ongoing business case, with a return on investment that demonstrates how much money unmanaged data is costing the business. This can be shown through reductions in capital expenditure on storage, backup windows, and the amount of cloud storage needed, as well as operational efficiencies that save time for frontline staff.
Business risks come in many forms. The decisions you make about what data you retain, retention periods and how the data is managed are often neglected when companies consider their risk profile.
Taking the time to understand what data you have through data classification—where it is stored, who can access it, how long it is retained and how it will be irretrievably destroyed when it is no longer needed—is critical for ensuring your data serves you and doesn’t end up coming back to bite you.