California lawmakers have passed a critical update to the CCPA, making support for privacy opt-outs mandatory for web browsers and mobile operating systems.
Businesses are generating data at an ever-increasing rate. From website analytics data to workplace messaging apps, it all adds up quickly. The commonly held attitude that “data is good, therefore we should collect and keep as much of it as possible,” combined with the relatively cheap cost of data storage, has resulted in many businesses amassing digital mountains of data with no plan for how to clean up unnecessary records.
This common situation is at odds with a number of data privacy laws, but that’s not the only concern. Practicing good “data hygiene” has other benefits beyond simple compliance, including improving data security and potentially reducing the costs of lawsuits.
Learn the basics of how to create a data retention policy for your company.
Privacy compliance is probably the most pressing reason to create a data retention policy. For example, the California Consumer Privacy Act (CCPA) requires that businesses disclose the length of time they intend to retain each category of personal information they collect.
Beyond that, most privacy laws have a data minimization requirement, meaning businesses should only retain personal data for as long as is reasonably necessary to accomplish the purposes for which it was originally collected. If a business has no data retention policy, it probably has not made an effort to meet the data minimization rules.
Another good business reason for creating and sticking to a data retention policy is that it contributes to overall information security. By forcing your organization to delete old data it no longer needs, less data will be compromised if your system is ever breached. In the course of your review, you may find that you are retaining high-risk data (financial info, ID numbers, etc.) for little or no reason; getting rid of that data means it is no longer in danger of being stolen.
Lastly, deleting data on a regular basis can potentially save money down the road in litigation. In this day and age, it is always possible for a business to be sued, and discovery—the formal process of gathering evidence from opposing parties—is one of the most expensive parts of a lawsuit. The more data that is subject to discovery, the higher your legal costs.
Depending on your organization’s needs, a data retention policy can be as simple or as complicated as you want. It can also take many forms, but at its heart you can picture it as a spreadsheet with four columns of information:
However, that simplicity can mask what is likely to be a fairly involved process. After all, you’ll be reviewing all of the data that your business collects, figuring out where it’s stored, determining how long it should be kept, and internally documenting the procedure for deleting it. Depending on the size of your company, there may be a lot to cover, and it will probably involve discussions with every department.
Here are some tips for creating your data retention policy.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.