This is the second of two articles on ROT. In part one, we showed how ROT quietly sabotages sustainability targets.
In Part Two we focus on the compliance costs. Both articles are steppingstones toward our guide, From ROT to ROI, which reframes ROT not just as a liability, but as an opportunity for measurable business value.
In 2020, Morgan Stanley made headlines for all the wrong reasons. The bank had failed to properly wipe decades‑old customer data from decommissioned servers and storage devices.
After a data breach, regulators fined the company tens of millions of dollars, not counting the damage to the bank’s reputation. It wasn’t just the breach itself, it was the fact that much of the exposed data was obsolete, data that should have been deleted years earlier.
Redundant, obsolete, and trivial data lingers in forgotten corners of systems until it becomes a liability. In the first article of this series, we explored how ROT undermines sustainability goals, driving up storage costs, energy use, and carbon footprints. But sustainability is only part of the story. This second piece looks at the compliance dimension, how ROT can put you at what is now very serious risk: fines, lawsuits, and lasting harm to the reputation of your brand.
We’ve written a comprehensive guide: From ROT to ROI, to help with this: a practical roadmap for transforming data clutter into measurable savings.
What sort of ROT is especially dangerous?
From the above example, it might seem like every piece of data is a potential risk factor. Luckily, not all of this is equally dangerous. The most dangerous categories are:
- Personal identifiable information (PII)
Probably the best known (and most dangerous). Old customer records in CRMs or elsewhere, addresses, phone numbers, and ID details. These often stick around long after they should have been deleted. It’s worth noting that PII data is where regulations like GDPR carry the most severe penalties for breaches. - Financial records
This refers to things like outdated payment card details, bank account numbers, or transaction histories. These are easy to forget about or store past reasonable use. If exposed, they can lead to both regulatory breach cases (and fraud). - Health data
Some of the most personal data, and most likely to trigger popular anger/reputational damage. Patient files, diagnostic results, and insurance information are tightly regulated under laws like HIPAA. Retaining them beyond mandated retention periods is a direct compliance breach. - Employment and HR files
Old payroll records, disciplinary notes, or background checks often sit in forgotten folders. These contain sensitive personal data that must be destroyed once legal retention windows close. - Email and messaging archives
Large volumes of email are kept “just in case,” but they often include sensitive attachments, contracts, or personal data. Regulators increasingly view uncontrolled email archives as a risk. - Legacy system backups
Think physical media in this case: Old server images, tape backups, or cloud snapshots frequently contain entire datasets that should no longer exist. They are easy to overlook but can be devastating if compromised.
Summarising the takeaways
- Redundant, obsolete, and trivial data actively raise compliance risks in an increasingly severe regulatory environment.
- The most dangerous ROT is personal, financial, health, and employment data.
- ROT complicates audits, inflates the scale of breaches, and erodes trust. Sometimes the reputational damage is worse than the fine.
- Managing ROT is not just about being more efficient and saving money, but also about risk.
Even if your organisation hasn’t faced a breach, how much forgotten data is sitting in your systems right now, and what would it cost you if it were exposed tomorrow?
From ROT to ROI
Our full guide, From ROT to ROI, shows how to move beyond firefighting and turn data clutter into measurable savings. A roadmap for reducing risk, cutting costs, and strengthening compliance. Download it today.
