27 Oct Automatic Data Disposition: What is it and why organizations need it?
Posted at 10:15h in Blog Posts, Knowledge Center, Privacy and Reg Compliance, Provisioning and Governance
Automatic Data Disposition:
What is it and why organizations need it?
27 October 2020 · 3 min read
Data disposition is an important principle in privacy & cybersecurity regulations, including the EU General Data Protection Regulation (GDPR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), NYShield, and many others.
To maintain compliance with regulatory, client requirements and Outside Counsel Guidelines (OCG), organizations need to become familiar with the notion of data disposition and ways to apply it efficiently across collaboration systems.
What is data disposition?
Data disposition relies on the principle that any data collected or stored should be adequate, relevant and not excessive for the task at hand. An organization should not retain any information that fails to meet any of those three criteria.
Speaking of retention, most professionals are familiar with the concept of a retention policy, which determines when to delete data. Depending on its purpose, data disposition goes a step beyond data retention by determining not only when to delete data but also how to store data before its deletion. For example, after customer data has served its purpose, an organization may choose to lock, archive or anonymize the information before deleting it.
Why should an organization dispose their data?
As organizations deploy collaboration systems to improve productivity and facilitate the rising remote workforce, they risk data sprawl across these systems. Locating data becomes difficult, endangering governance. It also impacts adoption across systems.
In the event of a Data Subject Access Request (DSAR), a client request for data, or a regulatory request, the organization will find it challenging to locate all data related to a particular subject and transfer it accordingly. It also may retain it beyond its usability. Data disposition policies help this process and enable organizations to strengthen their governance and regulatory compliance.
There are three main reasons why organizations should implement data disposition policies:
- To maintain privacy and regulatory compliance. As mentioned, regulations and clients require organizations to implement data disposition practices. Organizations that fail to implement such processes risk facing significant fines or experience almost irreparable reputational damage.
- To reduce the risk of cyberattacks. A data breach that exposes four weeks’ worth of customer information is far less damaging than a breach that exposes information from the previous year. Organizations are required to take the necessary steps to reduce the risks and consequences of a data breach. Data disposition policies reduce the impact of breaches and save organizations revenue and reputational damage.
- To save money and time. Data simply cannot be stored indefinitely. The servers and cloud storage subscriptions required to store and manage data increase costs, and the management of expired data is redundant for information technology professionals and the entire organization alike.
How to implement data disposition policies
There are a few steps that organizations need to take to implement disposition policies:
- Understand what type of sensitive information the organization collects. A data mapping exercise is useful in these situations.
- Determine how long sensitive data needs to be retained.
- Map the data disposition steps for sensitive data that make sense to the organization. This could include archival, anonymization, and finally deletion.
- Set processes for how data disposition will be implemented.
Once the data disposition process is outlined, organizations should look into making it more efficient. Relying on humans to manually implement each disposition step across multiple collaboration systems and for hundreds or thousands of projects or engagements is prone to error.
Even the most diligent organization can make mistakes when attempting to process data manually. Unfortunately, in the modern world just one negligent mistake can cost an organization thousands of dollars in lawsuits.
Automating the data disposition process should be the next step. This includes selecting the right technology that will allow for trigger-based data disposition policies with integrated approval workflows. Triggers and approval workflows ensure that the organization has taken the necessary steps to assure its clients and regulators that the risk around sensitive data has been reduced. It also allows organizations to adhere to internal disposition policies.
How Prosperoware Helps
Prosperoware CAM is an enterprise digital transformation and governance platform for collaboration platforms in the cloud and on-premises. CAM enables organizations to improve adoption, enhance processes around management of office documents, and reduce risks related to privacy & cybersecurity.
CAM integrates with a variety of collaboration systems, including Office 365 (Microsoft Teams, SharePoint Online, OneDrive, Planner, OneNote), File Shares, iManage, NetDocuments, HighQ, and more to come.
Key features of CAM are:
- Automatic provisioning of workspaces, Teams, Channels, and folders from Project Portfolio Management, CRM etc., or through human workflow using templates
- Rich, custom metadata for project or document context
- Unified directory for project location
- Data Loss Prevention including activity monitoring with full audit trails, and bulk security & metadata changes
- Automatic execution of disposition policies actions as set internally – by the organization – and externally – by privacy & cybersecurity
- Set trigger-based data disposition policies with approval workflows or apply litigation holds, and
- Select data custodians to set policies to move, delete, modify, or export content