It is common for organisations to have lost a detailed understanding of the data / information (we will use these interchangeably) they hold across their systems, these being hosted on premise, in the Cloud, or even with third parties.

Minimising data (through deletion or archiving) was an important focus when storage was expensive and systems would slow down proportionally to the volume of data they held. This was true from the advent of computing until the early 2000s. Then, came a “blessed” time where storage became cheap, systems would perform irrespectively of how much data they contained, and we could happily keep everything forever!

.

Times have changed!

.

Legal & Compliance risks

The last five to ten years have seen the introduction of strict regulations across the world on how long data can be retained: GDPR in the UK, CCPA in the US, and Australia’s Privacy Act. Keeping data longer than necessary may lead to non-compliance, resulting in hefty fines or legal action (for example, Meta was imposed a €1.2 billion penalty by the Irish Data Protection Commission in 2023 for failing to comply with GDPR).

In addition, a number of industries have specific data retention periods, across positive retention (obligation to store data for a minimum period of time) and negative retention (obligation to store data for a maximum period of time). Not abiding by these retention periods can breach legal or regulatory guidelines, potentially leading again to significant penalties.

Data Security Risks

For an organisation, storing more data increases the potential exposure in the event of a breach as retaining irrelevant or outdated data amplifies the risk of sensitive information being compromised. In a recent breach in Australia, it is believed more than 50% of the data involved belonged to past customers, further increasing its impact and the resulting social anger against the brand.

Furthermore, legacy data stored in older systems may not be protected with up-to-date security measures and controls, making it an easier target for Cyber attacks, and breaches may go for longer before being detected.

Decision-Making Challenges

An overabundance of data can lead to “analysis paralysis,” making it harder to extract meaningful insights and potentially delaying critical business decisions due to the complexities of appropriately “wrangling” the required data set. An example of decision-making challenge can be found in Australia with the Australian Bureau of Statistics (ABS) during the 2016 Census. The ABS collected an enormous volume of data, which was intended to inform policy and planning across various sectors. The vast quantity of data, combined with a lack of clear processes for managing and analysing it, led to significant challenges and delays, hindering decision-making for critical policy areas.

Holding large volumes of data also increases the complexity and cost for an organisation to have a clear understanding of the quality of these data sets. A significant portion of the data may be outdated or irrelevant, which adversely impacts the accuracy of analytics and decision-making processes.

.

What can Boards and Execs do now?

.

Ensure there is a single way to classify data across the organisation

Boards and Execs should champion the establishment of a unified data classification framework across the organisation. This framework can be based on established models, such as confidentiality, integrity, and availability (CIA), or tailored to suit the organisation’s unique needs. A consistent classification approach ensures all employees have a common understanding of data’s value, sensitivity, and criticality.

This consistency is vital for managing risks and ensuring compliance. When data is classified systematically, it becomes easier to apply appropriate security controls, determine retention periods, and prioritise resources. Without this shared language, teams may work in silos, leading to inconsistent handling of data and increased vulnerability to breaches or regulatory penalties.

Identify the organisation’s information “crown jewels”

Not all data is created equal, and Boards and Execs should advocate for identifying the organisation’s “crown jewels” (ie the most critical and sensitive data that underpins the operation of the business). This could include intellectual property, customer PII, or strategic plans. By understanding what truly matters, leaders can drive focused and effective prioritisation.

This process will not only enable the mitigation of risks to high-value data but also avoids wasting resources attempting to “boil the ocean”. A clear prioritisation strategy ensures that Cyber security measures, compliance efforts, and data governance initiatives are directed where they have the greatest impact, balancing risk mitigation with operational efficiency.

Run a prioritised data inventorisation

Conducting a data inventory is foundational to understanding the breadth of the organisation’s data holdings, but this should be done with a prioritised lens. Boards and Execs can mandate a tiered approach, starting with high-risk or high-value data categories identified during the crown jewels exercise. This ensures quick wins and minimises the potential exposure of the most critical data.

A comprehensive yet focused data inventory lays the groundwork for effective data management. It highlights gaps, such as outdated data or unnecessary duplication, and enables the organisation to streamline data governance practices. This inventory should include data held by third parties or in the Cloud to ensure no blind spots in the organisation’s data landscape.

Understand the organisation’s data retention requirements

Retention requirements vary across industries and states, and understanding these is crucial to both compliance and operational efficiency. Boards and Execs should push for a thorough (yet, again, prioritised) analysis of legal, regulatory, and business-specific retention needs as part of the data inventory process. This ensures that data is retained only as long as necessary and disposed of when no longer required.

Clear retention policies not only reduce the risk of non-compliance and associated penalties but also simplify data management. They help eliminate redundant or outdated data, reducing exposure in the event of a breach. Furthermore, operationalising these requirements via automation ensures adherence without overburdening BAU teams.

Define and operationalise fit-for-purpose data governance

Effective data governance must be treated as a BAU practice, not a once-off project. Boards and Execs should advocate for a scalable, fit-for-purpose (ie not overbaked) governance framework that aligns with the organisation’s priorities, regulatory obligations, and most importantly scale. This framework should encompass clear policies, assigned roles and responsibilities, and the integration of governance processes into daily operations.

Operationalising data governance requires embedding it into existing workflows and using technology to monitor compliance and streamline processes. This ensures ongoing accountability and prevents the recurrence of data-related issues. Regular reviews and updates to the governance framework are essential to keep pace with evolving regulations and business needs.

Foster data literacy and culture across the organisation

Boards and Execs play a pivotal role in fostering a culture of data literacy throughout the organisation. This involves ensuring employees at all levels understand the importance of data, how it should be handled, and their role in protecting it. Training programs, clear communication, and leadership by example are essential components of this cultural shift.

A strong data culture empowers employees to make informed decisions, improves compliance, and enhances the overall effectiveness of data governance initiatives. When employees understand the “why” behind data management policies, they are more likely to adhere to them, reducing risk and promoting a sense of shared responsibility for safeguarding the organisation’s data assets.

.

If this resonates with you, or highlights some of the issues your organisation is currently facing, click the “Contact Us” button or email us at data@evolvere.au.