data.day
data retention / compliance / risk

A Project That Never Deleted Anything—and Then the Regulator Called

The project ended three years ago. The data? It's still on a laptop somewhere. We discuss the compounding risk of 'Zombie Data' and the art of the delete button.

Marie Query Marie Query

The Haunting of Project X

Imagine a project you finished two years ago. Let’s call it “Project Alpha.” It was a success. Champagne was popped. The final invoice was paid.

Where is the data from Project Alpha right now?

Is it on a shared drive? Is it in the “Downloads” folder of a Junior Associate who left the firm last month? Is it sitting in a “Test” database that IT forgot to decommission?

Most likely, the answer is “All of the above.” Voilà.

This is the “Zombie Project.” It is dead operationally, but it is alive legally. It sits there, aging, rotting, and gathering dust. Until one day, a Subject Access Request arrives, or a breach occurs, and suddenly you have to explain why you are holding the passport scans of 500 people for a project that ended in 2023.

The Liability: The Compound Interest of Risk

We have a cultural problem in our industry: We are hoarders. We are terrified of the delete button. We view deletion as a loss, rather than a cleaning.

But in the world of data ethics, retained data is not an asset. It is a liability that compounds over time.

Every day you keep a record you do not need, the probability of it being leaked remains constant, but the justification for having it shrinks to zero. You are holding the risk without the reward. This is bad business.

If a regulator calls—and they will—they will ask a simple question: “What is your retention period?” If your answer is “Forever, just in case,” you have already lost. You have admitted that you have no control over your own digital inventory.

The Safeguard: The Data Funeral

We need to normalize the end of the lifecycle. We need to hold Data Funerals.

When a project closes, we should not just archive the email thread. We must run a “Decommissioning Protocol.”

  1. The Inventory: List every location where data lived. The CRM, the email marketing tool, the local spreadsheets.
  2. The Purge: Execute the deletion. Not a “soft delete.” A hard, irrevocable wipe.
  3. The Certificate: Generate a log. “On [Date], we destroyed [Dataset X] related to [Project Alpha].”

Hand this certificate to your Compliance Officer (or your future self). It is your shield.

There is a profound relief in hitting the delete button. It is the feeling of closing a loop. It is the feeling of a clean desk.

Do not let your firm become a graveyard of forgotten files. The dead should not be walking around your servers. Bury them. It is the respectful thing to do.

FAQs

But storage is cheap, why delete it?

Storage is cheap. Lawyers are expensive. Reputation damage is priceless. Do the math.

What if the client comes back in 5 years?

Then you onboard them again. They will appreciate that you didn't hold their secrets in a dormant file for half a decade.

Is archiving the same as deleting?

No. Archiving is putting the toxic waste in the basement. Deleting is incinerating it. Be an incinerator.