ROT data is a security issue: How are you handling it?

Automating data discovery is the first step in classifying obsolete digital information

Sam Curcuruto
Product Marketing Manager, OneTrust
May 23, 2023

Two men in business attire hold a remote meeting from an office break room.

Your organization’s crown jewels — its data! — should be protected at all costs, of course. Securing that data — whether it was created by your organization or is consumer or third-party data — begins with managing it properly. 

There is an exponential amount of ways data can benefit your organization, and a reflective amount of ways it can open your organization up to additional risk. One often overlooked facet of the data management lifecycle includes ROT data not being properly monitored or managed.


What is ROT Data?

Redundant, obsolete, or trivial (ROT) data is the digital information a business has despite the data having no business or legal value. This could be a duplicate piece of information, an old planning document, or simply data that doesn’t serve the company any more.

The more data your organization has, the wider its attack surface becomes. Now much of that data is necessary, useful, and even considered critical. But other data that is redundant, obsolete, or trivial can be floating around, adding a net negative to your security team’s resources.

Visibility and classification are the first steps of de-risking the data flowing through your organization, as explained in this webinar


How are you handling ROT Data?

Now we know what ROT data is, but what do we do with it to help de-risk our data storage and the organization as a whole — and remain compliant? 

Let’s look at a three-pronged approach of actions and best practices that will help your security teams handle ROT data.

  • Un-share: Ensuring that ROT data isn’t shared is an easy way to ensure that it’s not adding additional risk to your organization. After all, over-privileged access is a key risk to data that can be reduced by only sharing current, necessary data with people who are authorized. In fact, sharing permissions should always be reviewed periodically as best practice.
  • Archive: In the event that data is not totally obsolete, and there may be a need for it in the future (a customer whose subscription has expired but may return to a service agreement at a later date), your organization can choose to archive that information rather than keep it open and accessible or have to delete it altogether. Archived data is often encrypted and stored in file systems which have restricted access to truly protect it.
  • Delete: This comes down to proper policy creation. If your organization doesn’t have a standing retention policy, deletion of ROT data is the best decision to de-risk your company and reduce your attack surface. 

This all begins with data discovery, of course. From there you can gain visibility into and take action on the data your company is currently controlling. Find out how automating these processes will keep you both compliant and secure by requesting a demo today


You may also like


Data Discovery

Live demo: OneTrust Data Discovery

See how OneTrust Data Discovery can help your organization achieve complete data visibility to empower your security program and reduce risk.

June 22, 2023

Learn more


Data Discovery

Data responsibility: The information security professional’s higher purpose

Join OneTrust and KPMG for a dialogue with Information Security leaders on managing the balance between risk and reward when handling sensitive customer information.

June 20, 2023

Learn more


Data Discovery

OneTrust Data Discovery Day: A deep dive into automating data discovery and classification

Join us for a two-hour deep dive into data discovery and how OneTrust helps privacy, IT, and security teams understaind their data and achieve risk reduction goals.

June 13, 2023

Learn more