Get Serious About Your Dark Data: Protect the Crown Jewels


Organizations are faced with rising costs of non-compliance and billowing clouds of dark data. As such, they must rethink data governance and address the issues of remote working, personal message platforms, and legacy retention cycles, says Peter Baumann, CEO, ActiveNav.

The once well-defined information perimeter has undergone a sort of “big bang” expansion in the pandemic-driven remote workforce, and we have essentially lost control of the very thing for which we are responsible. This problem is exacerbated by the proliferation of private devices, the nearly impossible task of information policy enforcement, a litigious consumer mindset, and now, the growing success of sophisticated hackers’ ability to extract ransom in the form of nearly non-traceable cryptocurrency. 

What’s more, the lack of a U.S. national data privacy law has made “compliance” subject to interpretation. It has placed a nebulous, if not flat-out unfair, burden squarely on the shoulders of IT, privacy, and legal departments. So, how can we better get to grips with governing one of our most valuable assets – our data?  

Rethink Your Messaging Platforms

The person next to you in line for coffee maybe texting her friend about dinner, or she may be telling her coworker what’s required for the afternoon’s Zoom meeting. The first is none of our business; the second is. Virtually every company has a standard platform for messaging and communications, whether it’s Microsoft’s Teams, Slack, or Skype. But the issue is not the availability of messaging platforms; the issue is the proliferation of personal devices and unsecured information streams. 

A study released by WrikeOpens a new window indicates 41% of remote workers are accessing confidential work information using unsecured personal applications. More than 50% of employees say they use their own apps because either their company doesn’t offer anything with similar functionality, personal apps are more convenient, or they prefer their personal apps’ user experience.

Messaging apps create ephemeral messagesOpens a new window , which can create tension with corporate information governance programs, particularly where employees use unapproved or forbidden consumer applications. You need to develop comprehensive policies and practices that address acceptable uses of technologies within the enterprise. These policies need to mitigate known and anticipated risks of ephemeral messaging, which leads me nicely to my second and less recognized information challenge and recommendation.  

Learn More: Data Clean Rooms: A Secret Weapon Against Data Breaches and Data Security Vulnerabilities

Rethink Your Information Policies and Procedures

Most organizations have information management policies in place and require employees to sign an agreement at some point during their onboarding process. However, the stark reality is that very few organizations can enforce those policies. The business user, the information creator, is in an awkward position where they’ve signed that agreement, but then it’s nigh on impossible for them to honor and execute that policy. 

There are several reasons why, but one is because employees simply don’t have enough time. How much time do we build into the average employees’ day to allow them to practice good information management and effectively deliver against that policy? Not much, if any. Or it could be because the tools they’re using don’t enable it. Or because the organization literally doesn’t know how to enforce the policy.

Once reality sets in that information workers will likely never remediate and control their data creation in line with policies, it is then left to the data custodians, essentially IT departments and their governance stakeholders, privacy and infosec, to literally pick up the data pieces. This requires an audit not of the systems that are holding the data but of the data itself – in effect, a data map or inventory. Hitherto a task that has been deemed somewhere between the art of the impossible or ridiculous! 

With true data mapping or inventorying now a viable solution, organizations should start by mapping their corporate dataOpens a new window and enforcing their existing information retention policies. This, in turn, enables the development of comprehensive policies and practices that address acceptable uses of technologies within an enterprise that mitigate known and anticipated risks of creating and storing information. 

Learn More: Hybrid Cloud Adoption: 7 Ways To Overcome Data Security Challenges in the Cloud

Rethink Your eDiscovery 

In any discovery-type environment or situation, you need to have control over all your information. In legal terms, eDiscovery is extracting information that could prove valuable in litigation. As part of IT and governance processes, eDiscovery can be used to cull information that is not worth keeping. This addresses two issues: the escalation of your data footprint and the problem of not knowing what your data comprises. 

The ramifications of storing dark data – the non-essential, personal messages and attachments are vast and potentially very damaging for an organization. Every company has its fair share of information that provides no business value and must be disposed of in ways that don’t violate individual privacy. Software solutions like file analysisOpens a new window can provide context to unstructured data and allow you to gain control over your data estate. 

Rethink Your Data Retention Policy

With a continued and sustained increase in the amount of data being created by users, organizations should take a more assertive approach to update data retention policies, especially in non-critical areas. When you look at your data estate, it wouldn’t be that unusual to now find data dating back 20 to 30 years.

Engineering companies or aircraft manufacturers, for example, often have 50- to 100-year retention policies, and you want to ensure that none of the data finds its way into a seven-year retention cycle. On the other hand, email retention policies, in some cases, can be as short as 90 days. Distinguish what’s needed and what’s not. 

Reduce Your Data Footprint 

Adhering to data retention policies requires diligence. Begin by mapping out an appropriate slider with at least two dimensions: one related to the date and the other to data type. This will help you to retain only information that’s valuable or necessary to meet your organization’s business, legal, or regulatory objectives and obligations. It will also help ensure that information that is no longer useful to the organization is deleted in a defensible manner. Prioritize your remediation efforts based on risk and reward – what will provide the biggest bang for your buck?

Learn More: How to Build AI and ML Applications in the Age of GDPR

The Time Is Now

Rethinking these aspects of your data governance may seem overwhelming. Starting today, approach your data problem continuously to greatly reduce your risk in the future. While there is yet to be a federal privacy regulation in the U.S., you still need to demonstrate a transparent and defendable effort to comply with privacy regulations. This is because industries (like healthcare’s Health Insurance Portability and Accountability Act), states (California’s Consumer Privacy Act), and other nations (Europe’s General Data Protection Regulation) have already begun the charge. 

Odia Kagan, a partner at Fox Rothschild LLPOpens a new window and chair of the GDPR compliance and international privacy practice, said there is no actual blueprint for GDPR compliance. “Companies that have been on a path and worked with regulators … have had cases closed against them, or their fines have been reduced,” Kagan said. 

You can do the same, and there’s no time like the present to get started. 

Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.