We have now reached the 7th and last phase of our Data Life Cycle Management – Data Purge.

One would think that this should be the easiest phase to execute, how hard can it be to delete data?  Hit the delete button, run the purge command, and all unwanted data disappear from the enterprise environment. In reality, the process to delete enterprise data is much more complex than just hitting the delete button.

Enterprises that capture, maintain, synthesize, use, publish, and archive data must ensure that data can be defensible dispositioned to satisfy regulatory requirements such as Section 17(a)(1) of the Securities Exchange Act of 1934 (“Exchange Act” or “SEA”), the Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1301 et seq.) and many others.

What is defensible data disposition?

Defensible data disposition is the consistent enterprise process to delete data in compliance with regulatory requirements.

Implementing a defensible disposition operating model to continually delete superfluous enterprise data in compliance with the many and often conflicting regulatory directives can be both complex and cost prohibitive.

How to delete enterprise data defensibly?

Global enterprises should consider the principles of due care and due diligence:

  • Due care: the consistent act of identifying threats and risks
  • Due diligence: implementing sustainable solutions to mitigate identified threats and risks.

Based on lessons learned, here are three prime considerations and capabilities that an enterprise should have in building a defensible data disposition operating model:

  1. Retention Management Policy ensure that the enterprise have a clearly documented retention management that satisfies regulatory, legal holds, and business retention requirements.
  2. Defensible Disposition Strategy – develop process and technology to move data from:
    • Production to Archive Intake Engine – how does data move from production to archive tagged with the right retention management codes while ensuring removal of data from all production and backup environments?
    • Archive to Defensible Decision Engine – how to continuously review archive data and present data that has met its retention requirements to a defensible decision engine to verify it can be deleted without any business or regulatory ramifications e.g. is it in any type of legal holds?
    • From Defensible Disposition Decision to Deletion Engine – how to delete data in a way that is appropriate to its sensitivity e.g. overwrite, degauss, physical destruction? How to verify and track that the deletion process is complete and physical devices (if any) are properly disposed? For further discussion please click here to read CSO article on in-depth guide to data destruction.
  3. Defensible Disposition Operating Model – enterprises, especially large enterprise with thousands of applications and Petabytes of storage, should standup a Defensible Disposition Operations team to support the day to day operations of deleting data. Like any other operations group, this team would provide support for:
    • Request fulfillment – provide support for fulfilling service requests, standard changes, or requests for information.
    • Event Management – monitor the health of defensible disposition infrastructure, escalate and prioritize as appropriate.
    • Incident Management – remediate incidents and restore normal functions as quickly as possible.
    • Problem Management – prevent incidents from happening and minimize events that cannot be prevented through process or automation.
    • Access Management – provide support to ensure authorized users have access and prevent unauthorized users from accessing data and services in the Defensible Disposition system.

Implementing Retention Management Policy and Defensible Disposition Strategy enacts principle of due care, implementing Defensible Disposition Operating model enacts the principle of due diligence, enabling the enterprise to sustainably delete data in compliance with regulatory requirements.  This sustainable approach reduces risks of over retention while also reducing data infrastructure and operational costs.

Leave your thoughts on the comments section. Or feel free to contact me at datafabricblog@gmail.com

Happy to send an editable version of the 7 phases of a data lifecycle images, just send me an email with your request.

About the author:

Juliana Carroll is a problem solver, strategic thinker with 15+ years of Fortune 500 consulting experience delivering measurable results that align with both business competitive requirements and regulatory compliance.

Juliana delivered exceptional results for organizations including Morgan Stanley, Prudential, Merck, Guardian Life Insurance, Blue Cross Blue Shield of Florida, and Deutsche Bank.

Connect with Juliana Carroll via Linked In.