Data Risk Is Now About Regulatory Compliance

Data risk has historically been a technology challenge — about how it is stored, sorted and analyzed, and protected from external threats.  All that has changed in the last five years, however, as data risk is no longer about data security. Instead, the primary risk vector is regulatory compliance. Organizations must now implement compliance strategies in accord with recent international, national, state and transnational privacy regulations. More importantly, they need to implement the technology and processes required to fulfill their obligations as data custodians. A fundamental step in operationalizing a data retention program is understanding retention requirements. Four baseline requirements your organization must meet are data subject access requests (DSARs), data protection requirements, biometric data regulations, and data ownership. These requirements cover everything from the obligations around the collection and retention of personal data, to establishing risk mitigation measures, to timely deletion of data that is no longer needed, to the rights of individuals to control the use of their own data. Organizations that hope to comply with the increasing volume of data protection and privacy regulations must understand that they are only custodians of the data, not its owners.