According to George Tziahanas, VP of Compliance at Archive360, regulators now view over-retention as a liability – pushing IT leaders to embed deletion, not storage, at the heart of their data strategy.
In today’s data-driven landscape, data centres and enterprise IT environments are shouldering an increasingly complex burden: managing not just the retention of information, but also its defensible removal. For years, organisations have operated under a familiar assumption: when it comes to data, more is better. The instinct to retain everything – for potential analysis, future litigation, or ‘just in case’ scenarios has been deeply ingrained in enterprise IT. But the tide is turning. In the face of mounting regulatory scrutiny and security incidents, that retention mindset is now a liability.
Emerging data privacy regulations, coupled with escalating cybersecurity risks, are flipping the script. Organisations can no longer afford to treat deletion as an afterthought. From compliance violations to breach fallout, retaining data beyond its lifecycle has a real downside.
Many organisations still don’t have a reliable, scalable way to delete data. Policies may exist on paper, but consistent execution across environments, from cloud storage to aging legacy systems, is rare. That gap is no longer sustainable. In fact, failing to delete data when legally required is quickly becoming a regulatory, security, and reputational risk.
Regulations are raising the stakes
Global data privacy laws including the GDPR, CPRA, and cybersecurity rules are forcing organisations to rethink how they manage the full data lifecycle. These regulations don’t just mandate protection and transparency; they increasingly demand that organisations delete data once it’s no longer needed.
This isn’t optional. In some jurisdictions, such as under New York’s DFS rules, executives are required to personally attest to compliance, including data disposal practices. If those attestations prove false, especially after a breach, the consequences can include regulatory fines, legal exposure, and public fallout. The message from regulators is clear: over-retention is a risk, not a safeguard.
The hidden costs of keeping everything
From a cybersecurity perspective, every byte of retained data is a potential breach exposure. In many recent cases, post-incident investigations have uncovered massive amounts of sensitive data that should have been deleted, turning routine breaches into high-stakes regulatory events.
But beyond the legal risks, excess data carries hidden operational costs. Storing and managing information that no longer has business or legal value increases infrastructure demands, complicates governance, and slows response times. The sheer sprawl of unneeded data makes incident response, data discovery, and compliance reporting more complex and expensive.
So why aren’t organisations deleting?
It’s not a lack of awareness. Most CISOs, privacy officers, and IT leaders understand the risks. But deletion is difficult to operationalise. Data lives across multiple systems, formats, and departments. Some repositories are outdated or no longer supported. Others are siloed or partially controlled by third parties. And in many cases, existing tools lack the integration or governance controls needed to automate deletion at scale.
This isn’t just a technology problem. It’s an information governance challenge, and one that requires clear ownership, cross-functional collaboration, and policy-driven execution.
Leading by example: what the public sector is showing us
Some organisations are already taking decisive steps. In the UK, entities like HM Courts & Tribunals Service (HMCTS) and their partner Through Technologies, are pioneering data retention and deletion initiatives, applying governance policies to drive large-scale, auditable removal of non-essential information. Their approach isn’t just about ticking compliance boxes. It’s also reducing storage costs, streamlining operations, and preparing for a more privacy-centric future.
The private sector is following suit, especially in regulated industries like finance, healthcare, and legal services. These organisations are recognising that deletion is not a side concern but a strategic priority.
A call to action for IT and compliance leaders
To meet today’s compliance expectations, organisations need to shift from passive retention to proactive data lifecycle management. That includes:
- Embedding deletion into compliance programs not as an afterthought, but as a critical component of risk mitigation.
- Aligning legal, IT, and privacy teams around unified policies that define what data should be retained, for how long, and how it should be securely deleted.
- Automating policy enforcement across systems – including cloud applications, file repositories, and legacy archives, with tools that ensure auditability.
- Educating internal stakeholders on the risks of over-retention and the value of a defensible deletion strategy.
The challenge is real – but so is the opportunity. Organisations that get deletion right can not only reduce regulatory exposure, but also simplify compliance, lower infrastructure costs, and improve their overall security posture.
It’s time to delete with intent
In 2025, deletion isn’t a back-office chore. It’s a front-line compliance requirement, a cyber risk management tool, and a trust signal to customers, partners, and regulators.
Too many enterprises are still exposed, not because they don’t care, but because they haven’t embedded deletion into the way they govern data. That has to change. Deletion is no longer optional. It’s time to lead with it.
