The document discusses how companies need to implement strong data retention policies and procedures to comply with increasing data privacy regulations, properly classify and manage data through its lifecycle, and ensure all data is securely erased at end-of-life through an information lifecycle management approach involving key stakeholders like IT, legal, and data owners. It highlights how simply deleting or formatting data is not enough and certified data erasure tools and processes are needed to prevent data breaches and regulatory fines from non-compliant data disposal.

1. Data Retention Is a Team Sport: How
to Get It Right
Richard Stiennon
Chief Strategy Officer, Blancco Technology Group

2. 4,800-70,998
Number of Canadian
breached records per
incident*
Data Breaches Are Both
Dangerous and Costly
$6.03MM
Average cost of a data breach
in Canada*
2
5 months
Time to detect a data
security incident*
*Source: The Ponemon Institute, June 2016
25%
Data breaches caused by
human error*

3. More Data Stored Means Increased
Responsibility to Protect and Prevent Data
Loss
2009 2010 2011 2012 2013 2014 2015 2016 2017
40,000
(Exabytes)
30,000
20,000
10,000
2018 2019 2020
Quantity of Data with Corporate Responsibility: https://www.emc.com/collateral/analyst-
reports/idc-the-digital-universe-in-2020.pdf

4. Medicentres Data Breach Exposes
Patient Data
4
Operates 27 clinics in 4 Canadian cities
IT consultant working for Medicentre Family
Healthcare Clinics in Edmonston stole
unencrypted laptop
Affected as many 620,000 patients
Patient data included: names, dates of birth
and health information numbers (but not full
medical records)
Waited 4 months to notify Ministry of Health

5. Common Data Security Methods Aren’t
Always Effective and Reliable
77%
Hit ‘delete’ button and/or drag
files to Recycle Bin on
computers/laptops from 6-10
times a day to once a week
51%
Believe files are permanently
gone once they’ve emptied the
Recycle Bin on their
computers/laptops
51%
Believe performing a quick
format or reformatting an
entire drive permanently erases
data so it can never be
recovered
Source: Blancco “Delete vs. Erase” Study

6. We purchased
200 used hard
disk drives and
SSDs from eBay
and Craigslist
Personal & Corporate Data Are
Easily Recovered from Used Drives
Source: Blancco “The Leftovers: A Data Recovery
Study”, June 2016

7. 111 Data Protection
Regulations…and Counting
7
48%
Concerned with protecting
reputation
40%
Concerned with avoiding
regulatory penalties
54%
Concerned with staying
compliant

8. 2017
Digital Privacy Act (Bill S4)
Notify individuals in cases of breaches
Report data breaches to Office of the Privacy Commissioner of Canada
(OPC) if it is “reasonable in the circumstances to believe that the
breach creates a real risk of significant harm to an individual”
Notify third parties of data breaches where those 3rd parties could assist
in the mitigation of harm
Keep and maintain records of every breach involving personal
information under their control (must be provided to Privacy
Commissioner upon request)
Canada’s Stance on Data Protection

9. 1
111
2017
2017
Number of
data
protection
laws
EU General Data Protection Regulation: Right to
be Forgotten
27,000 new Data Protection Officers needed
FINES - Non-Compliance could result in up to 4% of
turnover OR €20 MM (whichever is GREATER)
ANY EU citizen can demand their records be expunged
– and the company must provide proof of erasure
UK will adopt GDPR by May 2018, even post Brexit
EU GDPR Is a Game-Changer
1998

10. 13%
Companies don’t erase
digital files/folders when
they are no longer needed*
Reasons to Implement &
Enforce Data Retention
Policies
10
22%
Companies don’t have written
data disposal/destruction
policies to handle data that’s
no longer needed*
*Source: Blancco, “Data Governance Inside the Enterprise” Study, April 2017
Comply with government regulations and industry
standards
Reduce storage costs
Support defensible data erasure
Reduce risks associated with keeping everything
forever
22%
Companies keep data
forever*

11. What Is A Data
Retention
Policy?
 Classifies data by type,
business value, criticality,
and regulatory requirements
such as Personal Data
Protection regulations
 Retention periods defined
based on classification
 Should define proper
procedures for certifiably
destroying data at end-of-
life

12. How Can You Get Data Retention Right?
12
BUILD THE
TEAM
CONDUCT A
DATA
ASSESSMENT
IMPLEMENT
& ENFORCE
POLICIES
WITH ILM

13. Who Should Be on Your Data Retention
Team?
13
Data
Owners
Information
Governance
IT

14. It’s Data
Assessment Time:
Questions to Ask
Yourself
 Do you have an up-to-date record retention
policy and schedule?
 Is your record retention policy enforced and
audited for compliance?
 Can you implement a litigation hold and cost-
effectively sustain it for a period of time?
How about multiple, overlapping holds?
 Can you easily discover email, files and
other electronic documents across the
organization, including laptops and remote
offices?
 Can you complete your discovery within
days or weeks?
 Can you be certain that you have found
everything during your discovery?
 Can you provide all electronic documents in
their original format if required?
 Can you (and your legal counsel) easily and
effectively review all discovered documents
to produce a smaller set suitable for review
by outside counsel?

15. Implement & Enforce Data Retention
Policies

16. Active
Take an Information Lifecycle
Management Approach
• Classify
• Assign Rights
• Activity Monitoring &
Enforcement
• Rights Management
• Logical Controls
• Application Security
• Access Controls
• Encryption
• Rights Management
• Content Discovery
• CMP (DLP)
• Encryption
• Logical Controls
• Application Security
• Encryption
• Asset Management
• Crypto-Shredding
• Secure Deletion
• Content Discovery

17. The Dangers of Keeping Data Forever
17
A single unnecessary
document or email (that
wasn’t erased) could contain:
Data that hackers can use
to attack your organization
or customers
Dormant malware, waiting
to be triggered as part of
an advanced attack
A “smoking gun” that
could be used against you
in court

18. Understanding Data
Sanitization/Disposal
18

19. Customer Demand
The Right to be Forgotten allows EU citizens to
request removal of their data from your
system.
Employee Onboarding &
Departures
Protect against data breaches at transition
points in your hardware’s chain of custody
and use.
Tech refresh and asset
decommissioning
When a server, storage, device or other IT
asset is ready to be reused, resold or
discarded – any data must be erased.
Data Migration
When data is moved from one location to
another, from an old server to a new one, or
virtual machine to another – the original data
location must be erased.
Disaster Recovery Exercises
Following the successful restoration of
production systems, any data left on the
recovery disks should be erased.
Data End-of-Life
When data is no longer needed on any storage
device, policies can enforce the erasure of virtual
machines, files and folders with automated
routines within your existing systems. Should be
added to data retention policy and process.
Key Scenarios When Data Erasure
Is Needed
Cloud Exit
When you are exiting a cloud service or a
managed services provider is handling
your data, data erasure policies must still
be enforced to keep control over the data.

20. 8 Ways You Can Strengthen Your Data
Governance & Regulatory Compliance
20

21. THANK YOU!
Richard Stiennon
Email: richard.stiennon@blancco.com