IoD Day 3 – Records and Retention Management

A very large audience, this is the best attended session I have been to.

Topic is ILG – Information Lifecycle Govvernance

Only about 30% of data is fundamentally needed to be kept, the remainder can probably be disposed of.

Trade off between value and risk needed to determine when to delete old data.

Panel discussion.

1TB drive for $100. But the full lifecycle costs are involved

Consider that most of the raw stored data seems to be irrelevant, particularly given the Moore’s law like growth of data, doubling evry 18 months.

1 single genome sequence is about 4TB. Given that 1 genome sequence will shortly cost $800, therefore it will be feasible to create, use and dispose of the data for each use of the genome sequence. We will not need to keep the data long term. This will  provide a good solution to data privacy. It will meet the DPA regime of keeping the data only as long as it is needed (a month?).

Beware the converse, which is the too early deletion of legally required data, which is potentially just as risky and costly. Retention Schedules become important in Insurance field, regular audit failures for failure to keep to the schedules. Also across an industry there are different retention   schedules. It is a generic problem in and across all industry sectors, see ISO 15489.

One of the panel are now deleting 100K records per week, with a fully defensible process.

In the HR realm, international organisations have many sets of regulations and laws that sometimes are contradictory,  typical regulatory term is time of event + x years as the trigger but what is the definition of the time of the event? Internationally, the value of x can be from 5 years to 25 years. Additional issues relates to the concept of Legal Hold.

ILG also applies to unstructured data.

It is vital that the C-Suite understand the problems and opportunities, they need tangible reasons to support ILG and Records management

In Novartis, two criteria, the laws around the world and then additional retention levels over and above the legal requirement for business reasons. These business needs are then integrated into the overall retention schedule.


This entry was posted in Big Data, Compliance, Governance, Richard Self, Risk Management. Bookmark the permalink.