By Dan Sholler
Today’s legal and regulatory environment demands a defensible data retention program.
First, it is the law. Data privacy regulations such as GDPR, LGPD, CPRA, and BIPA all require businesses to address data retention/minimization as part of compliance. Companies must minimize personal data when they no longer have a legitimate business need or regulatory obligation to keep it. Non-compliance with these laws can lead to potential fines, sanctions, and even litigation. Data retention is no longer optional.
Second, data retention is critical to reasonable security. Over the last 24 months, data breaches have been a mainstay in the headlines and have cost companies millions of dollars. A data breach involving data that has been retained longer than required by law or valid business requirements will almost certainly draw a negligence claim. The first data breach class action resolved under CCPA was Hanna Andersson, which involved the over-retention of personal data. Other cases involving the over-retention of personal data include Capital One and Walgreens. Nearly every lawsuit arising from CCPA has been a negligence claim for over-retention of data. And the bar has been lowered: the seventh circuit ruled that just retaining data beyond what is permitted constitutes privacy harm, even if no breach or other harm is present. Implementing a defensible and actionable data retention program allows companies to implement a key component of reasonable security as well as minimize the overall exposure and risk of a potential breach. If you don’t have it, you can’t lose it, and you can’t be sued for it.
Third, cost reduction. Organizations address data retention. While digital storage has become inexpensive, it is not free. The amounts of data produced today are tremendous. Reducing the spend for physical/offsite storage and the administrative costs associated with data is often an area where our clients can find a quick win. Additionally, disposing of information that no longer needs to be kept helps companies cut costs and increase efficiencies when responding to DSARs as well as reducing the overall spend on future litigation events. If you don’t have it, you don’t have to produce it.
How Does Data Retention Software Help?
The Exterro Data Retention solution is built on Exterro Data Inventory, so it knows where all the data is, what it is, who is responsible for it, and how it is used. Most importantly, it not only understands the data, but it understands how that data is used as records of business activities. Retention rules deal with records, but to operationalize them, they must be translated into actions on data.
It includes a library of retention schedules based on international regulations and industry best practices proven to optimize costs and benefits for organizations. Individual organizations implement their schedules using the schedule planner the schedule is automated. Communication is also automated, as is attestation. Exterro Data Retention deals with all kinds of data: online, offline, endpoint, cloud, paper, box storage, on phones and tablets; anywhere your important records may be.