Why is Data Retention Important?

Domestic, international, and industry-specific regulations often require that certain data be stored for a set period of time. Organizations that do not have up-to-date data retention standards are at risk of violating regulations. Most organizations are familiar with regulations that demand retaining information; tax records, workplace safety reports, and Fair Hiring practices all require historical recordkeeping, for example. Public concern over data privacy, and the resulting regulations—combined with increased risk of data breaches and subsequent litigation—have raised awareness of data deletion practices. Organizations without a clearly-defined and enforced deletion policy find themselves over-retaining data, leaving them severely at risk.

Fox vs. Dakkota Integrated Systems recently found that just the act of keeping unnecessary biometric data is a privacy violation. Data privacy regulations (the EU’s General Data Protection Regulation (GDPR) and California Privacy Rights Act (CPRA), for example) expressly state that sensitive consumer data that no longer has a specific business purpose must be deleted. Therefore, it’s important that companies ensure their retention standards are up-to-date and they have an automated and repeatable process for deleting data when risk outweighs value

A great deal has been made of the potential value in keeping large quantities of data, but much of the data held doesn’t have much of a business use. It’s what’s known as ROT: redundant, obsolete, or trivial data. Removing this data is consistent with the principle of data minimization. This principle, which is part of GDPR and other privacy regulations, says that organizations should only collect data relevant and necessary for the purpose for which it is processed, and that they should dispose of it when that purpose is fulfilled.

• Data you don’t have can’t be breached
• Lower data volumes reduce the chances of finding risky information during litigation
  

GDPR Articles 5, 13, 17, and 25 require companies that are subject to the law to dispose of any personal data once it has fulfilled its purpose unless there is a legal or regulatory obligation to retain the data longer. The CPRA, which goes into effect in 2023, will require companies to adopt similar retention procedures.

Data Minimization is Key to Reducing Enterprise Risk

Data retention often goes hand in hand with a process called data minimization: collecting only the data that is necessary to perform a requested function—except when required by other regulations to keep it longer. At its core, data minimization represents a comprehensive strategy to reduce the amount of data an organization holds, potentially lowering storage costs and minimizing reputational and legal risks associated with the preservation of data.

Failure to identify, address, and minimize risks related to data will be the driver of fines, oversight burdens, litigation and settlement expenses. This makes the processes of developing an effective minimization standard even more critical.

Harmonizing Data Retention Policies with Other Legal & Regulatory Requirements

Under major data privacy laws, consumers and employees have the right to request the information a business holds on them and ask that it be deleted. But what if that data requested under these regulations is already required to be saved under a legal hold, or must be held due to some other regulatory requirement? Violating regulations is always risky, and deleting data that is potentially relevant to anticipated or pending litigation (civil or criminal) can have devastating consequences. It’s imperative that legal and compliance professionals collaborate with their privacy colleagues on how to harmonize organizational legal hold obligations with these conflicting data privacy requirements.

Unfortunately, this situation is only going to get more complex. Numerous states, countries, and jurisdictions are crafting their own data privacy legislation—many with similar (but not identical) consumer rights features as major data privacy laws. It’s imperative that legal professionals have a plan in place to ensure that data on legal hold is not inadvertently deleted because of other data privacy regulation obligations.

Deleting data that is under a legal hold means running afoul of different, and sometimes competing, regulations.

1. Square data retention obligations like those created by the GDPR with those created by a legal hold or other relevant regulation
2. Remove any and all data that doesn’t serve a business purpose and isn’t under a legal or regulatory hold

Holding too much data can be doubly expensive for organizations that work with outside vendors that charge for services based on data volumes. But the most impactful piece of this puzzle is organizational risk. Legal and Compliance teams should involve themselves in managing data if they don’t already, and should consider the following questions to assess risk:

1. Could a demand for all documents pertaining to a specific person expose your organization’s over-retention of personal data?
2. Can your organization delete excess data that would help minimize exposure to judicial and regulatory sanctions, as well as civil liability?

Put simply, data you don’t store can’t be breached, you don’t have to produce it during litigation, and you cannot get in any trouble for having it. Keep only what’s necessary in your data inventory—balancing organizational requirements with any relevant regulations.