By Tim Rollins
The Rise of Data Subject Access Requests
People’s right to request a copy of their personal data from both private and public sector organizations, has been an increasing part of privacy and data protection law since the 1980s. Awareness has grown in recent years, largely driven by GDPR, which has instigated greater awareness globally of data subject access requests (DSARs) and access rights. This has led to many organizations seeing a significant rise in the number of requests or receiving requests for the first time. While organizations have put in place portals to facilitate those requests and created workflows to support them, relatively few organizations have addressed all the underlying structural issues.
But there is a tension that exists between retention of data for valid business and legal requirements against the need to dispose of data properly and according to a schedule. The key to defensibility in this context is a program based on principles and best practices that is used to guide the organization in making data retention decisions.
Reasons Over-Retention of Data Happens
One of the key cultural challenges for many organizations is the “we might need it later” mentality. For a number of reasons, it is often difficult for staff to let go of data. Some of these reasons are poorly articulated, but can be summarized as follows:
- “We might need it later.” This rationale comes from uncertainty, perhaps relating to the potential for someone questioning the staff member’s work, a fear of actually taking the step of deleting data, or failing to understand how long certain information is actually useful.
- “Not my responsibility.” This attitude stems from a failure to communicate the accountability of all staff to manage data, including its retention.
- “I don’t have time for this.” Often retention schedules are simply spreadsheets, sitting on drive or intranet site, with no effective workflow to empower staff to act on the schedule as a matter of routine.
- “I don’t know what to do.” A retention schedule is often written as a table with a list of legal and regulatory requirements and difficult for non-lawyers to decipher and apply on a day-to-day basis.
- "I don't know why it's such a big deal." This often stems from a lack of training and awareness. Staff may not understand the purpose of a retention schedule or why indefinite (or permanent) retention actually increases risk for the organization.
Over-Retention Leads to Unnecessary Risk
The risks organizations face in respect of retention can arise from:
- Retaining information for too long
- Retaining information for too short a period of time
- Not being able to respond in a timely fashion or accurately to DSARs due to unmanageable volumes of data
- Exposure of poor data retention practices in response to DSARs or regulatory investigations
- Multiplier effects in the event of a breach
- Additional and unnecessary costs of retention
- Additional and unnecessary costs of search and discovery because of the volume of data
Information Security Risks of Data Over-Retention
Clearly the impact of a personal data breach could be significantly worse for an organization that keeps personal data for too long. For example:
- the volume of records involved in the breach may be larger and could affect far more individuals
- if a regulator investigates and discovers certain data involved in the breach had been kept for longer than necessary, in breach of the law, enforcement action could be more likely and potentially more severe
- damage to the organization’s reputation could be much greater
- if the organization is a processor acting on behalf of a controller, it may also face legal action from the controller
A breach of personal data inevitably generates queries and potentially class action lawsuits on behalf of the individuals who have been affected. It could also raise complaints from individuals asking why their data has been kept so long.
Data Protection Risks of Data Over-Retention
Data protection risks related to retention arise in two aspects.
First, a core principle in data privacy laws is the ‘storage limitation’ principle, which requires organizations to keep data only so long as required for the purpose for which it was collected, or as required by law (for example, article 5(1) of GDPR). In order to meet this obligation, it is fundamental for organizations to understand, and be able to demonstrate that they understand:
- What data they have
- Why the data was collected
- What obligations to retain this data exist either to fulfill the purpose for which it was collected, arising under a legal obligation to retain data, or arising under the legitimate interests of the organization
- What obligations exists to dispose of the data, and how
Secondly, the right of individual access is often articulated as a fundamental legal right under data protection laws. In many jurisdictions, these rights surface the many issues arising from retention:
- Requests are commonly referred to as a Data Subject Access Request.
- Under laws such as the EU’s GDPR, or California’s CPRA, people have the right to receive a copy of their personal data from organizations to which those laws apply.
- Suppliers acting as service providers or data processors are required to assist the organization that collected the data from individuals, as and when necessary, by operation of law as well as by contract.
- The legal purpose of a DSAR is to make sure people can verify that their information is being handled lawfully and obtain a copy of the information that an organization holds about them.
- Often these rights are coupled with the right to request deletion of data that is no longer required to be retained, the right to withdraw consent, and in the case of California, the right to object to the sale of personal data.
Legal Risks of Data Over-Retention
Legally-defined data retention periods often exist to protect the interests of individuals, as well as society, in being able to pursue claims and lawsuits, or regulatory actions, by ensuring that the evidence that may be required in such circumstances are retained; they also exist to put a limit on how long both individuals and organizations may be pursued through such legal claims. Where a law requires an organization to keep personal data for a specific period, the organization must keep relevant data at least long enough to meet these legal obligations.
If an organization fails to keep records for the mandated period, it exposes itself to the risk that it may not be able to comply with the relevant laws to which it is subject.
Commercial Risks of Data Over-Retention
Certain personal data may need to be kept pursuant to contractual or commercial terms, such as:
- personal data collected as part of a sale, or to provide a service between an organization and its customers
- data required to substantiate guarantees, warranties, or ancillary products / services
- data which is included within a contract between a data controller and its processor
The associated risks in not keeping this data include responding to complaints or litigation from customers or regulatory enforcement.
Consumer and Access Request Risks of Data Over-Retention
Customers will expect organizations that process their personal data to respond to their needs, such as:
- answering customer service queries
- responding to complaints
- changing their preferences
In situations where there is no relevant law regarding the retention period for personal data, an organization will still need to keep it for an appropriate period to meet its customers’ reasonable expectations.
Equally once a customer contract ends, or lapses, a customer may not expect an organization to hold their personal data any longer.
Appropriate retention periods must balance the interests and rights of each party.
Reputational Risks of Data Over-Retention
All the above risks could also result in reputational damage for an organization which fails to meet its legal obligations, contractual obligations, or customers’ expectations.