Most organisations are collecting and generating exponentially increasing volumes of data each year. However, many organisations struggle to safely and efficiently dispose of data that is no longer needed for regulatory retention requirements or for legitimate purposes, as required, for example, under the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR) and the Californian Privacy Rights Act (CPRA). On top of the complexity of keeping track of data within the organisation, the perception that data is ‘the new oil’ and increasingly cheap storage costs are typical reasons why data is not actively managed and disposed of when no longer required. The Optus, Medibank and Latitude data breaches, together with the increasing number of decisions by regulators in the US and EU, underscore the risk and consequences of over-retention of data for organisations. Most of these decisions on over-retention of data arise from inadequate cyber security and have resulted […]