Why Data Cleanup Fails – Part Three: Process

This includes the very real, tangible and increasingly significant regulatory and legal drivers (e.g., fines) organizations face, and the wider, growing cultural assumptions among customers...
United States Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

In this series of Insights, we delve into why data cleanup efforts so often fail, despite organizations' desire to get rid of data they no longer need.

This includes the very real, tangible and increasingly significant regulatory and legal drivers (e.g., fines) organizations face, and the wider, growing cultural assumptions among customers and employees that organizations are merely the stewards—rather than the owners—of their personal data.

What Are the Main Challenges Preventing Effective Data Cleanup?

Although every organization is distinct, the following five reasons most commonly prevent organizations from effectively implementing data cleanup:


The order of this list may at first seem reversed: instinctively, technology might seem to be the main reason why data cleanup doesn't happen, followed closely by culture and process. But, as this series will make clear, when accountability and buy-in are taken care of, the other three fall into place and are much easier to tackle. If the first two are left unaddressed, as they typically are at most organizations, data cleanup doesn't happen at all. With this perspective in mind, we will examine the third reason why data cleanup fails: process.

Building a Solid Information Governance Process

When most organizations attempt data cleanup, they tend to focus on enabling individual end-users to make the right decisions about what data to retain and delete in the moment, i.e., when they're assessing the data to be disposed. However, this is the wrong approach: asking individual end-users to exercise judgement in the moment of data deletion runs the risk of introducing inconsistencies in the process—and opens the door for adversarial third parties, such as opposing counsel and regulators, to argue that your data deletion process is at best inconsistent and at worst capricious.

The solution to this problem is to design the data cleanup process so that no one has to make subjective decisions when they're executing the process: every possible outcome needs to be considered during the development of the process (i.e., design time) so that no (or minimal) exceptions have to be handled during the execution of the process (i.e., run time).

With this approach, the execution of the data cleanup process is simply a matter of following the steps laid out in the process, from how to determine what kind of data is involved, to what legal obligations your organization is subject to, to whether the data is past this retention obligation, to whether it's subject to any active or reasonably anticipated preservation obligations (such as litigation or regulatory holds), and finally, if appropriate, to deletion.

With this approach, in most cases, no one should have to make subjective decisions—they simply follow the steps laid out for them in the process. And if a case happens to arise where the process as designed doesn't work, rather than handling it as an exception, it should be used as an opportunity to revise the process to accommodate the new situation and avoid thought during run time going forward.

Data Cleanup Requires All Hands On Deck

To effectively design a process that enables data cleanup with no thinking, you need all the right stakeholders at the table during design time: Information Technology, Legal, Privacy, Records Management, Cyber, Risk and all relevant business functions. Basically, the same suite of stakeholders prescribed by the Information Governance Reference Model (IGRM), shown below.

Information Governance Reference Model

Balancing Value, Risk and Cost


Having these viewpoints represented at design time increases the chances that your process will not require subjective or individual decision making to succeed—and that it will pass muster as consistent, reasonable and defensible rather than inconsistent and capricious. Leaving any of these viewpoints out, for example, by making data cleanup a predominantly IT, Legal, Privacy or Records Management effort, risks implementing a myopic process that fails to account for the myriad of "if-thens" that arise at run time—which could have been easily surfaced by a truly cross-functional Information Governance team at design time.

How to Fortify Information Governance and Enact Data Cleanup

To successfully execute data cleanup, you need to tell people what to do—and they'll do it. It's up to the Information Governance program to build a solid process that tells folks what to do in unambiguous, clear as day terms that relieves them of the need to make subjective decisions and allows them to act with confidence while protecting the organization from accusations of deleting data inconsistently or capriciously.


Originally published by 02 April, 2024

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Why Data Cleanup Fails – Part Three: Process

United States Privacy


See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More