In 2023, the vast majority of companies continue to deal with growing data stores, including data from departed employees, aging legacy applications, and current employee data hoarders.
Much of this data is unmanaged and invisible to the company and is what many refer to as Dark Data - data that is collected, processed, and stored by organizations but not used for any defined purposes, such as analytics, business intelligence, or other business use. It may be unused, invisible, untapped, or redundant. It may be derived from many sources such as legacy employee work product, machine data, log files, internet research, or social media. But at the end of the day, dark data is also inactive.
Dark data is costing your company
According to a 2018 IBM study, dark (unstructured inactive) data amounted to approx.80% of all corporate data, with expectations that it will rise to 97% in the next couple of years.
Dark data is an ongoing risk to organizations because it is, by definition, invisible to the company, which means almost none of it is accessible or searchable by central corporate authorities for response to eDiscovery, FOIA, data subject access requests, or defensible disposition processing.
Much of this dark data is directly controlled by individual employees who have little incentive to delete local aging data regularly. So, this mostly inactive dark data keeps piling up (unmanaged) on employee devices and cloud accounts.
This lack of complete information management is now putting many companies at risk of non-compliance with the new and emerging data privacy laws.
One obvious example of dark data risk involves eDiscovery/FOIA response; however, an emerging risk with dark data for companies is around the relativity new compliance requirements of emerging data privacy laws.
Data privacy laws are causing a new inflection point
More than one hundred country-specific privacy laws are already in effect – the EU’s GDPR being the most well-known. However, six US states have passed new data privacy laws over the last several years, including California, Colorado, Connecticut, Iowa, Virginia, and Utah, with many more to follow over the next couple of years.
In another interesting development, the US federal American Data Privacy and Protection Act (ADPPA) was introduced in the House Energy and Commerce Committee last year and was passed out of committee by an overwhelming vote of 53 to 2, and is now due to be debated on the House floor soon.
Canada also has a significant data privacy bill in its second reading in the Canadian Parliament - Bill C-27- that could be passed into law later this year. Bill C-27 includes individual rights such as the private right of action and a requirement that all personally identifiable information (PII) be unrecoverably deleted when requested by data subjects.
Data privacy laws raise corporate liability and risk
Data privacy laws are an information management risk for all companies for two reasons:
First, each of these laws are global in nature, meaning they protect their citizen’s data from misuse - globally. This means if a company in New York collects a Colorado citizen’s data, then that New York company is subject to the Colorado data privacy law – this also extends to foreign countries.
The challenge for companies is that each of these data privacy laws differs in scope, definitions, timeframes, specific rights, and exclusions. Because of this, organizations collecting PII will now need to track each data subject’s PII, where they live, the type of consent given, the reason for PII use, and the timeframe in which the data was collected.
The second risk is that they all, in one form or another, provide data subjects the ability to query (via data subject access request or DSAR) the collecting organization to see if the company has collected their PII, how it’s being used, whether it has been sold to others and for what use, and to delete it if requested. All companies must respond to a DSAR in the allotted time – usually between 15 and 30 days, as directed by the local data privacy law. Suppose a company cannot find all of the PII or does not meet the time-period requirements. In that case, they will be considered not in compliance and subject to fines, penalties, and other legal actions by the state’s Attorney General.
In the new data privacy environment, companies will be required to manage all their corporate information, not just “compliance records” – including data on employee workstations and laptops so that they can fully respond to a DSAR in the time allotted by the new data privacy laws. I mentioned “fully respond” above because the response to the latest data subject rights cannot be “we gave it our best try.” Still, instead, the expectation is a complete and definite response, i.e., “we searched all possible repositories and found the following…”
The new data privacy laws are a new information management inflection point. They will create a cultural minefield for employers because most employees consider the data they collect, create, and store on their local laptops, etc., as their own – not the organization’s.
The new environment will drive the need for a company to have the ability to reach into individual laptops and workstations to copy/sync and actively manage employee work data.
The new normal will trigger employee issues such as:
Privacy concerns - Employees are concerned about the personal data that many employees store on their work devices being accessed, indexed, copied, and analyzed by their employer.
A lack of control: Employees can feel that their employer has too much control over their work-related data and how individual employees use it.
Productivity challenges: Employees often search for older data for reuse and reference. In several recent studies, analysts have discovered that the average employee will spend between 2 and 4 hours per week looking for older data.
As I mentioned before, this need for companies to manage all data within the organization will be a cultural change challenge for most employees. However, companies have no other option so they can achieve legal and regulatory compliance with the new data privacy laws.
This brings us back to the original topic of this blog, addressing inactive data in a cost-effective and regulatory-compliant manner.
Inactive data should not always be considered valueless data subject to defensible disposition processes. Inactive data is rarely or never accessed or modified but still may need to be preserved for legal/eDiscovery, regulatory compliance requirements, future analytics, or historical reasons.
Unstructured, inactive data does consume a great deal of storage space and resources on-prem and is costly and time-consuming to maintain, search, and protect. Data consolidation is the key to effective and compliant information management. The fewer places that data is stored, makes it much easier to search, report on, and manage your data.
restorVault addresses your inactive data requirements
Part 2 of this blog series reveals how restorVault Virtual Cloud Storage can provide your company with virtualized access and cost-efficient data management in the cloud.
Contact us today to learn more about how restorVault can help you save money while increasing data security and storage capacity!