By: Linda Coniglio, Director of Privacy and Information Governance
For a long time, companies have focused more on the risk of losing data than on retaining too much data. In fact, “The Badge of Honor” seemed to land with the individual who could retrieve any document no matter how old whenever asked.
In 2019, the Berlin Commissioner for Data Protection and Freedom of Information fined a German real estate company Deutsche Wohnen approximately €14.5 million (~$17,255,000) for GDPR violations. While performing on-site visits, the supervisory authority learned the company was storing personal and financial data of tenants in an archive system after it was no longer necessary for the purpose for which it was originally collected. The archive system did not provide a way to remove data no longer needed. The supervisory authority claimed violations of data minimization and privacy by design principals under the GDPR. This is a clear message that organizations can’t ignore their obligations relating to data retention.
Closer to home, the Federal Trade Commission (FTC) recommends companies promptly dispose of information once it is no longer necessary for legal or business reasons. In addition, privacy deletion requests and threats of cyber incidents should incentivize businesses to implement proper information governance programs that include strong data retention policies.
Because of data protection laws and cyber concerns, keeping content “just in case” can’t be the default. Businesses need to implement solutions for keeping what’s needed for legal and business reasons and disposing data when it no longer has business value. The Berlin authority didn’t complain about a specific retention period. They found fault in having no plan around retention and a system not designed for data deletion.
Key Approaches to Retention Decisions
- Don’t let perfection be the enemy of good. Implementing retention is an incremental process. Each iteration provides value and gets you closer to the goal.
- You’ll need stakeholders across the organization but ones with a vested interest in making progress. Look to privacy professionals, information security experts, record retention specialists, IT, Legal and, yes, even sales and marketing.
- It’s not strictly a records program – although an official records program is quite important. Organizations stores tons more content than just records. All content needs to be associated with a retention period – even long-term records considered historical for your organization.
- Make risk-based decisions. Start actively managing your most risky or sensitive data. Identify data with less risk and manage it less. An up-to-date data map is essential here!
- Ensure a solid, trusted legal hold process. When you know the required data is secure, content deletion is defensible.
- Be confident in making blanket decisions where possible. (ex: data not accessed in 5 years and not on legal hold can be deleted)
With modern retention practices in focus, the “Badge of Honor” now goes to the individual who regularly keeps content for only 3 reasons:
- Legal obligations such as a legal hold
- Regulatory requirements such as financial regulations
- While it’s needed to support the business