With the rise of big data, companies now obtain and store many data in massive quantities. As a result, they end up having giant repositories of unused data stored in their servers, also called data graveyards. Storage infrastructure, maintenance costs, compliance with privacy laws, security gaps, and risk of data corruption: risks due to data graveyards are numerous. What can organizations do with a large amount of data? How can you uncover the value of data before storing it? How can you manage the maintenance costs of big data? Join our panel in this webinar as we explore how your company should manage the risks and challenges associated with data graveyards. This webinar will review: - What data graveyards are - How to manage data graveyards risks - How to define data retention periods and stay compliant

1. 1
1
© 2022 TrustArc Inc. Proprietary and Confidential Information.
Challenges & Risks Of Data Graveyards

2. 2
2
Speakers
Janalyn Schreiber
Privacy Consulting
TrustArc
Ralph O’Brien
Principal Consultant
TrustArc

3. 3
3
Agenda
1. Data Graveyard: What Is It and Why Now?
2. What Does the Law Say?
3. Managing Data Graveyards - Challenges & Risks
4. Managing Data Graveyards - Opportunities
5. Our Best Tips to Stay Compliant

4. 4
4
Data Graveyard: What Is It and Why Now?
Giant repositories of unused data OR Where unused data goes to die
• Rise of “Big Data”
• Rise of automation
• Cloud computing outsourcing and storage cost fall
• Increase in data collected - “Age of Sensors” / IoT
• Loss of Archiving/Records Management staff
• Investment in technology, not data
• Hard to go back and audit/manage existing data
• Management apathy
• Shadow IT

5. 5
5
REMINDER - COMMON LEGAL DATA PROTECTION PRINCIPLES
Large Fish
Swim Perfectly
All
Around
Reefs
wRecks &
Sunken
Treasure
Always
Not so much “Privacy” as “Data Usage” - not compliance cost, but data investment!
Lawful & Fair
Specify Purposes
Adequate, Relevant, Not excessive
Accuracy/Up to date
Retention/No longer than Necessary
Rights
Appropriate Security
Transfers (partners and international!)
Accountability/Evidence

6. 6
6
What Does The Law Say?
1. GDPR - Art. 5(1)(c)
Principles relating to processing of personal data - adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed (‘data minimisation’)
2. California Privacy Rights Act - CPRA
Strengthens CCPA to add minimization requirements to limit the data collected and keep it for no longer than is
reasonably necessary
3. Virginia Consumer Data Protection Act - VCDPA
1) Only keep consumers’ personal data if it is used for current business purposes and 2) Cannot use it for purposes
not disclosed in the notice
4. Colorado Privacy Act - CPA
Duty of Data Minimization and Avoid Secondary Use - collection limited to what is reasonably necessary and consent
is required processing not reasonably necessary or compatible with the specified purposes it was collected for
5. HIPAA - Privacy Rule
HIPAA Minimum Necessary Rule
6. GLBA - Safeguards Rule
Updated 2021 - Implement a data retention policy to minimize unnecessary retention of data
7. New York State Department of Financial Services (NYDFS) Cybersecurity Regulation
Limitations on Data Retention – Develop policies and procedures for the “secure disposal” of PII that is “no longer
necessary for business operations or for other legitimate business purposes” (Section 500.13)

7. 7
7
What Does The Law Say?
1. What purposes?
2. Any legal retention periods?
3. How long is necessary for the purpose?
4. How long is necessary for any secondary purposes?
5. What options can we use;
a. Deletion
b. Weeding
c. Anonymisation
d. Archiving
e. Retention
6. Security of Destruction/Outsourcing?
“No longer than necessary for the purpose”

8. 8
8
Managing Data Graveyards - Challenges & Risks
• Storage Maintenance & Costs
• Compliance with Laws and Regulations
• Cybersecurity & Data Breach
• Data Accuracy & Minimization - and Location!
• Vendor & Third-Party Risk
• Brand & Reputation Damage

9. 9
9
Risks in Real Life
Taxa 4x35 Fined DKK 1,2 million
Danish taxi company, Taxa 4x35, fined approximately
€160,000 for keeping personal data far longer than
permissible retention periods.
Arp-Hansen Hotel Group A / S Fined DKK 1,100,000
The Danish DPA fined Arp-Hansen approximately €148,000
for failing to delete 500,000 customer profiles that should
have been deleted in accordance with Arp-Hansen's own set
deletion deadlines.
CafePress Fined $500,000 by FTC
Address information security program plus minimize the
amount of data they collect and retain: “... created
unnecessary risks to Personal Information by storing it
indefinitely on its network without a business need.”

10. 10
10
Data Value & Maintenance Cost
• How can you uncover the value of data before storing it?
• How can you manage the maintenance costs of big data?
• How can you determine what data is critical?
• How can you track where data is stored, replicated, etc.?
• Do we need data we haven’t accessed?
• Are there opportunities for review:
○ Merger/acquisition
○ New systems
○ New laws/regulations
○ Public awareness/brand protection
○ Vendor management and third-party risk

11. 11
11
Managing Data Graveyards - Opportunities
• A comprehensive privacy program will help you:
○ Gain greater visibility, know what to do
○ Understand data flows and storage, and external
entities processing data
○ Define data retention periods
○ More efficient and effective use of data
○ Stay compliant with multiple privacy laws and
regulations
○ Set a privacy-centric vision for growth

12. 12
12
Our Best Tips to Avoid Compliance Graveyards
1. Understand all the laws and regulations that apply
to your business
2. Centralize your documents, policies and
accountability mechanisms
3. Look at benefit not cost - invest in the data
4. Find commonalities between laws and regulations
5. Stay on top of regulatory changes

13. 13
13
Thank You!
See http://www.trustarc.com/insightseries for the 2021
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.