Should it stay or should it go? The data retention clash for data managers

As privacy regulations around the world tighten (for example with the EU GDPR, California CPA, India’s PDPB, and Brazil’s LGPD), an increasing number of high-profile data privacy breaches have been hitting the headlines around the world. Fines for British Airways and Google of £183 million and €50 million respectively have been topped by Facebook’s £4 billion settlement with the Federal Trade Commission relating to the Cambridge Analytica scandal.  Even Brexit politics has been in on the act, with the UK Vote Leave campaign being fined £40,000 in for sending unsolicited text messages. DLA Piper estimates that there were more than 59,000 breaches within the EU during the period June 2018 to February 2019.

Whilst media attention, unsurprisingly, centres on the large fines being levied against social media and public cloud enterprises for high profile data privacy breaches, other interesting cases are coming to light, highlighting the broader data management challenges at play. For example, the Danish data protection authority fined the furniture company IDDesign DKK 1.5 million for deficiencies in their data deletion processes (i.e. storing data without having a valid basis to do so), demonstrating that authorities are not just looking at the retrospective fines once data has been leaked, but are additionally starting to look at the policies and procedures companies have in place to manage data retention more broadly. Crucially, this includes enforcement action against firms that hold data beyond its retention period, regardless of whether there is a breach or not.

Stay current on your favourite topics


As a data owner or compliance manager, it is necessary to walk a tightrope between over-retention of data (risking data protection fines) and under-retention (leading to legal and compliance issues going back over 15 years to cases such as Zubulake vs. UBS Warburg). It really is a case of needing to understand, for any data, should it stay, or should it go? It’s not acceptable to just assume, as the Clash would surmise, for data to “be here ‘til the end of time”.

Managing data through its full lifecycle – including the ability to defensibly dispose of data – means knowing when its retention period has expired, or if it has an exceptional requirement to be preserved beyond this period, due to a legal hold for example. Unless the data can be identified, tagged, immutably preserved and linked to any active legal holds, legal and compliance teams will not allow the disposal of any data. This leads to the analysis-paralysis problem many organisations have now encountered with data disposal, paying third parties such as Iron Mountain increasing amounts year-on-year to sit on orphaned data tapes and discs more than 20 years’ old and with no plan to resolve the situation.

Citihub Consulting has helped clients define and execute defensible disposal programmes, working across legal, records management, eDiscovery, archiving and compliance departments to achieve data deletions as a BAU process, rather than exceptional approvals executed only to achieve one-time compliance for major projects of work. Our framework covers the end-to-end business and technology processes required to achieve a fully compliant data retention and disposition position.

Our client needed to improve its data lifecycle management, specifically the preservation and subsequent deletion of data required in support of legal matters.


Matt Gall

Matt Gall


Matt leads the firm’s Business Transformation practice, focusing on the execution of strategic front-to-back change. He brings more than 25 years’ experience across the full technology life cycle, bridging business and technology functions in the delivery of strategic capital markets programmes.