Data Privacy Day 2025: Time for Data Destruction to Become Standard Business Practice

Compliance standards are shining new light on the need to better control and protect data. There are a multitude of different ways to implement a data protection and security strategy, but most organizations would admit that destroying data is not one typically prioritized.

As well as good business and cyber process, there are also data privacy regulations which mandate the deletion of data, such as the “right to be forgotten” under GDPR. Organizations need to be of the mindset that they both could and should be reducing their data estate as a part of normal business and compliance operations.

More Controls Across the Entire Data Estate

There are many good reasons why organizations need to assume better control over their entire data estate. Among them: data privacy legislation, a growing sustainability agenda, and risk to the business of data exposure. But improved control should also involve acceptance that data has a lifecycle: a creation point, a period of operational life, and then a point when the data is beyond its useful life and should be deleted or removed. Operationally, at very least, less data is easier to control and manage.

Data deletion, or more precisely, data erasure, is an area of growing importance in IT and cybersecurity, driven by the reasons above, and more. The notion that data is created, used and stored away with little, if any, thought given to what happens to that data once it is no longer needed, is now from a bygone era. There is a need for a much more focused and cyclical approach, ultimately to destroy data when it is no longer of any business value.

Omdia believes enterprises should establish timelines for deletion or erasure once data is beyond its useful lifespan, or as a first step at least, to review the data for its business viability. Data should not be retained if its removal is required under some areas of data privacy legislation, or if that data no longer fulfils the purposes for which it was collected. This retention period, however, will depend on various factors, including legal obligations, the purpose of data processing, industry standards, and business needs.

To Erase or Not to Erase?

Data destruction is not usually a commonly employed cybersecurity tactic. It almost seems to conflict with the human psyche, which seems to embrace the idea that the wholesale collection of data is somehow beneficial. “The more data, the better,” seems to be the mantra.

However, there is now beginning to be some movement against the “more is better” ideology. As more and more data is created, organizations are wrestling with what to do with it all, and moreover, how to address compliancy with data privacy legislation. Large, and growing data volumes present a significant headache to CISOs and their teams. Can organizations put a hand on heart and claim they even know where all their data is, or that they know what it is?  In a recent Omdia survey, only 11% of respondents, asked what percentage of their data they would be confident their organization could account for, felt they would be able to identify their entire data estate.

As data grows in volume and cost, there are also questions to be asked about how all the arrays necessary to store all the data are to be powered. Not forgetting, in addition, that as the threat landscape continues to grow, an effective backup strategy with duplicate copies of data is an increasingly important aspect of data security. This creates even more data, consuming more space and power. Failure to adopt a cyclical approach to data security therefore exposes an organization to significant risk as users and security teams alike invest most of their effort protecting and securing operational rather than archived data.

Organizations have tended to take an “ignorance is bliss” approach to stored or archived data. Now though, with regulatory pressures, increasingly limited available storage, an unwieldy and difficult-to-manage data estate, data subjects wanting more privacy, and the requirement for a demonstrable sustainability agenda, there is an urgent need to act.

Sustainability

The IT industry generates an enormous amount of waste as part of regular equipment refresh cycles; old equipment becomes redundant and needs disposal, which often means landfill. The outgoing equipment often still functions, but is less advanced and technically capable than a newer version more able to manage escalating workloads.

Omdia questions the sustainability of the way the industry currently operates, particularly in view of directives in the EU and elsewhere, around reducing the energy consumption required to process and transmit data. Furthermore, as many organizations begin to factor in environmental responsibility as a tool for brand enhancement, consuming more and more IT resources, to process growing volumes of data, is self-defeating.

Where infrastructure does need replacing, it is logical to clean all the data from the systems being replaced before items are disposed of or repurposed. In this case erasing data is a process in itself and needs to include written proof that the data has been permanently erased, with no potential for recourse.To simply go on creating more and more data, to use it for a period of time and then store it away, largely to be forgotten about, is a mindset that is antiquated and needs to be substantially adjusted. Data warrants much more focus; enterprises must adopt a lifecycle approach to data management, in particular that it has an end point, after which it needs removal. Storing data away and leaving it in perpetuity is dangerous, irresponsible and unnecessary. Ignored data poses risk to the business. Today, the risks data can present to an organization mean it is too important to be ignored.