TL;DR: Unstructured data, which makes up more than 80% of enterprise data, often becomes ROT within 90 days and expands breach exposure, according to OneTrust. The governance shift is from periodic cleanup to continuous policy enforcement across where data lives and how it is used, while cloud storage can cost $3,351 per terabyte per year and the average breach damage reached $4.4M in 2025.
NHIMG editorial — based on content published by OneTrust: How OneTrust Helps Reduce Your Sensitive Data Footprint
By the numbers:
- More than 80% of the data stored by organizations is unstructured.
- The average damage of a data breach in 2025 sat at $4.4M.
- Cloud storage alone accounts for 30% of a company’s overall IT budget.
Questions worth separating out
Q: What fails when organisations keep too much unstructured data?
A: The main failure is that data outlives its purpose, making it easier to expose, harder to govern, and more expensive to retain.
Q: Why does data minimization matter to security teams, not just privacy teams?
A: Security teams care because excess data increases the number of places an attacker can target and the amount of material they can recover if access is abused.
Q: How do teams know whether retention controls are actually working?
A: Look for evidence that the policy causes action: files are archived or deleted on schedule, exceptions are logged, and over-retained data is shrinking over time.
Practitioner guidance
- Map retention rules to actual data locations Inventory the repositories where unstructured content lives, then define which systems can enforce archive, delete, anonymise, or de-identify actions.
- Prioritise ROT data discovery first Use metadata such as last accessed, last modified, owner, and content sensitivity to identify redundant, obsolete, and trivial records.
- Align data deletion with identity lifecycle events Trigger data review when users leave, roles change, or shared access ends so old content does not remain linked to active permissions.
What's in the full article
OneTrust's full post covers the operational detail this post intentionally leaves for the source:
- How OneTrust Data Use Governance classifies data by sensitivity, context, and intended use across cloud platforms and collaboration tools.
- How the platform translates retention and minimisation policies into enforceable controls where the data lives.
- How continuous monitoring flags over-sharing, risky data use, and policy violations as environments evolve.
- How the reporting layer supports audit-ready evidence for policy adherence and at-risk data use.
👉 Read OneTrust's guidance on reducing sensitive data footprint with retention and minimization →
Data minimization and retention: what security teams need to enforce?
Explore further
Data minimization is now a control-plane issue, not a compliance afterthought. The article is right to connect retention with attack surface, because data that no longer has a business purpose still creates exposure if it remains accessible. That shifts the discussion from privacy policy to operational control design, where data lifecycle decisions need to be enforced in the systems that store and share content. Practitioners should treat minimization as a standing security control, not a quarterly cleanup exercise.
A question worth separating out:
Q: Who is accountable when data minimization fails?
A: Accountability usually spans privacy, security, and the business owner of the data set, because retention decisions affect legal compliance, access risk, and operational use. The key is to define who can approve exceptions, who implements deletion rules, and who verifies that the control is still effective after systems change.
👉 Read our full editorial: Data minimization is becoming a security control, not just a privacy rule