3 minute read 14 Feb 2021
Server room technician working on server panel

How to minimize risk through data disposition

Authors
Varun Sharma

EY Americas Data Protection Leader

Passionate about cybersecurity, technology and supporting EY clients. Problem solver. Travel enthusiast.

Nick Granack

Senior Manager, Data Protection and Privacy, Ernst & Young LLP

Driven by innovation inside and outside of EY. A believer in creativity that keeps things fresh and moves us toward better solutions. Aiming to develop creative, technology-enabled solutions.

Ashok Sankararaman

Senior Manager, Data Protection and Privacy, Ernst & Young LLP

A believer that the world is moving digital at lightning speed. A ninja in securing data in the digital world.

Nandita Das

Manager, Data Protection and Privacy, Ernst & Young LLP

Passionate about cybersecurity. Transformational change leader. Thrives on building long-lasting client relationships. Food enthusiast.

Logan Shively

Manager, Cybersecurity, Ernst & Young LLP

Local community supporter. Empowering students to become the next generation of cybersecurity leaders. Helping clients protect the data that matters most to them. Philadelphia sports fan.

3 minute read 14 Feb 2021

Show resources

  • Minimizing risk through data disposition july 2020 (pdf)

Many organizations are struggling with the challenge of how to dispose of sensitive data but there is a methodology that works.

In brief
  • Common challenges to an effective data disposition program include expanding regulatory agendas, limited business ownership and insufficient data governance.
  • We recommend a combination of two methods of data disposition: pre-emptive and on demand.
  • For data disposition to be most impactful to your organization, it must be aligned to both the overall data protection and business strategy.

Data disposition is a comprehensive term designed to capture the different methods businesses can use to dispose of sensitive data. These methods are pursuant to various regulations, retention policies, consumer requests or other business needs.

An effective data disposition program requires a partnership with the business to understand the data life cycle and flows, and integrate with the various components of data security.

Show resources

  • Download our report : Minimizing risk through data disposition

Understanding the problem

The advent of the digital age has brought tremendous opportunity for growth and innovation along with many difficult challenges. One of them is data disposition. Many organizations are struggling to keep pace with their data life cycle, i.e., collection, storage, retention and deletion. Common challenges associated with deploying an effective data disposition program include:

  1. Expanding scope of regulatory agendas and emerging compliance requirements
  2. Proliferation of data processing, storage and usage in the cloud or on premises
  3. Collection and storage of historical sensitive data beyond retention period
  4. Limited business integration and ownership
  5. Insufficient data governance to manage the data life cycle

EY and IAPP 2019 Annual Privacy Governance Report

44%

of respondents have undertaken efforts specifically aimed at data disposition.

Emerging data privacy regulations

62%

of respondents to a recent EY survey consider emerging data privacy regulations as a medium/high priority.

Drivers behind the changing data disposition landscape

Consumer drivers
  • Increased awareness regarding misuse of personal information and general distrust due to data breaches.
  • The right to access data and request its deletion.
Regulatory drivers
  • Rise in data privacy regulations, e.g., the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), increase the burden on organizations to manage and understand data.
Business drivers
  • Realization of the risk of sensitive data being stored beyond business useful life and the potential data breach implications.
Use case drivers
  • Organizations’ unique needs for driving business through the consumption of data and data analytics.

Data disposition program methodology

The diagram below outlines the sequence of stages that data will go through in a data disposition program. EY aligns its data disposition approach to the following methodology:

Data disposition program methodology

Methods of disposition

Our approach to data disposition provides flexibility in complying with privacy and security obligations. This approach employs two methods of data disposition. When a combination of these two methods are used, maximum benefits will be realized.

1. Pre-emptive

When the organization takes proactive method to dispose of sensitive data through deletion, de-identification or aggregation before it propagates across systems.

2. Disposition on demand

When requests come in from the business or as a result of privacy obligations (e.g., consumer right to be forgotten) for data deletion, the organization begins the process of disposition and responds to the request within the stipulated period of time.

Strategic considerations for data disposition

Building a robust and holistic data disposition program requires strategic decisioning and considerations as well as input and integrations with a variety of key stakeholders.

Disposing of data requires data owners, compliance, legal, IT and cybersecurity to work together to develop a strategy that enables the business while meeting data disposition and retention requirements. This strategy is what creates the building blocks for a client’s data disposition program and is outlined below.

Data disposition program

How does data disposition fit into an overall data protection strategy?

For data disposition to be most impactful to your organization, it must be aligned to both the overall data protection and business strategy. Key integration points include building disposition into data governance, management and transformation. To better understand the scope of your data disposition needs, and to position your strategy to best identify and mitigate significant risks, processes such as data discovery must support ongoing maintenance and management of data. These integrations will help support and define data protection strategy to reduce data risk without disrupting business function.

Summary

While the digital age has brought significant opportunities for growth and innovation, it has also resulted in huge volumes of data for which organizations have a responsibility to collect, store, retain and delete. When disposing of sensitive data, there are a number of options and considerations and this article discusses the primary ones, including strategic concerns around data disposition.

About this article

Authors
Varun Sharma

EY Americas Data Protection Leader

Passionate about cybersecurity, technology and supporting EY clients. Problem solver. Travel enthusiast.

Nick Granack

Senior Manager, Data Protection and Privacy, Ernst & Young LLP

Driven by innovation inside and outside of EY. A believer in creativity that keeps things fresh and moves us toward better solutions. Aiming to develop creative, technology-enabled solutions.

Ashok Sankararaman

Senior Manager, Data Protection and Privacy, Ernst & Young LLP

A believer that the world is moving digital at lightning speed. A ninja in securing data in the digital world.

Nandita Das

Manager, Data Protection and Privacy, Ernst & Young LLP

Passionate about cybersecurity. Transformational change leader. Thrives on building long-lasting client relationships. Food enthusiast.

Logan Shively

Manager, Cybersecurity, Ernst & Young LLP

Local community supporter. Empowering students to become the next generation of cybersecurity leaders. Helping clients protect the data that matters most to them. Philadelphia sports fan.