Data Privacy Day 2025: Time for Data Destruction to Become Standard Business PracticeData Privacy Day 2025: Time for Data Destruction to Become Standard Business Practice

Compliance standards are shining new light on the need to better control and protect data. There are a multitude of ways to implement a data protection and security strategy, but most organizations would admit that destroying data is not one they typically prioritize.

As well as good business and cyber processes, data privacy regulations also mandate the deletion of data, such as the "right to be forgotten" under the General Data Protection Regulation. Organizations need to be of the mindset that they both could and should be reducing their data estate as a part of normal business and compliance operations.

More Controls Across the Entire Data Estate

There are many good reasons why organizations need to assume better control over their entire data estates. Among them: data privacy legislation, a growing sustainability agenda, and risk to the business of data exposure. But improved control should also involve acceptance that data has a life cycle: a creation point, a period of operational life, and then a point when the data is beyond its useful life and should be deleted or removed. At the very least, less data is easier to control and manage from an operational standpoint.

Data deletion — or, more precisely, data erasure — is an area of growing importance in IT and cybersecurity, driven by the reasons above and more. The notion that data is created, used, and stored away with little, if any, thought given to what happens to that data once it is no longer needed is now from a bygone era. A much more focused and cyclical approach is needed, ultimately to destroy data when it no longer has any business value.

Omdia believes enterprises should establish timelines for deletion or erasure once data is beyond its useful lifespan — or, as a first step, to at least review the data for its business viability. Data should not be retained if its removal is required under some areas of data privacy legislation or if that data no longer fulfills the purposes for which it was collected. This retention period will depend on various factors, including legal obligations, the purpose of data processing, industry standards, and business needs.

Related Links:

To Erase or Not to Erase?

Data destruction is not usually a commonly employed cybersecurity tactic. It almost seems to conflict with the human psyche, which typically embraces the idea that the wholesale collection of data is somehow beneficial. "The more data, the better" seems to be the mantra.

However, a movement against this ideology seems to be taking place. As more and more data is created, organizations are wrestling with what to do with it all and, moreover, how to address compliance with data privacy legislation. Large and growing data volumes present a significant headache to CISOs and their teams. Can organizations put a hand on heart and claim they even know where all of their data is or that they know what it is? In a recent Omdia survey, only 11% of respondents said they would be able to identify their entire data estate if asked what percentage of their data they would be confident their organizations could account for.

As data grows in volume and cost, there are also questions to be asked about how to power all of the arrays necessary to store all of the data — not forgetting that as the threat landscape continues to grow, an effective backup strategy with duplicate copies of data is an increasingly important aspect of data security. This creates even more data, consuming more space and power. Failure to adopt a cyclical approach to data security exposes organizations to significant risks as users and security teams alike invest most of their efforts protecting and securing operational rather than archived data.

Organizations have tended to take an "ignorance is bliss" approach to stored or archived data. But with regulatory pressures, increasingly limited available storage, an unwieldy and difficult-to-manage data estate, data subjects wanting more privacy, and the requirement for a demonstrable sustainability agenda, there is now an urgent need to act.

Sustainability

The IT industry generates an enormous amount of waste as part of regular equipment refresh cycles; old equipment becomes redundant and needs disposal, which often means the landfill. The outgoing equipment often still functions but is less advanced and technically capable than a newer version better able to manage escalating workloads.

Omdia questions the sustainability of the way the industry currently operates, particularly in view of directives in the European Union and elsewhere around reducing the energy consumption required to process and transmit data. Furthermore, as many organizations begin to factor in environmental responsibility as a tool for brand enhancement, consuming more and more IT resources to process growing volumes of data is self-defeating.

Where infrastructure does need replacing, it is logical to clean all of the data from the systems being replaced before items are disposed of or repurposed. In this case, erasing data is a process in itself and needs to include written proof that the data has been permanently erased, with no potential for recourse. To simply go on creating more and more data, to use it for a period of time, and then store it away, largely to be forgotten about, is an antiquated mind set that needs to be substantially adjusted. Data warrants much more focus; enterprises must adopt a life cycle approach to data management — in particular, that it has an end point, after which it needs removal. Storing data away and leaving it in perpetuity is dangerous, irresponsible, and unnecessary. Ignored data poses risk to the business. Today the risks data can present to an organization mean it is too important to be ignored.