Data Retention: Keeping Up to Date with Changing Privacy Laws

The Value and Risks of Data

Almost every organization recognizes the value that data holds. They take pains to collect, verify, and analyze data at every step of their relationship with clients. With decreasing costs of data storage, and increasingly digital interactions facilitating data capture, the volumes of data held by businesses continues to grow and grow. (According to statista, the total amount of data created, captured, copied, and consumed globally is forecast to increase rapidly, reaching 64.2 zettabytes in 2020!)

But all this data comes at a cost to the organizations that collect it. At one point, the "risk" associated with data was primarily the cost of storing it and developing the ability to use it effectively. With data storage costs low and dropping--and accessibility high and increasing--the notion of risk associated with data has radically changed. Today, the costs associated with data are risks: data breaches. legal risks, and privacy regulations.

Data Retention Programs Mitigate Risk

The key to minimizing the risks posed from data is an effective data retention policy. Now is probably the time to note the irony in the very term data retention, as it often has as much or more to do with how and when organizations dispose of data as keeping it! 

Deleting data reduces the damage done by data breaches, even if it doesn't directly reduce their likelihood of taking place. After all, you can't lose what you don't have, and bad actors can't take advantage of PII or other sensitive data if it's responsibly deleted. It also helps reduce legal risk, as data that is defensibly deleted does not need to be produced by the organization in any subsequent discovery. Privacy laws also insist that personal information not be kept beyond its legitimate use or legal requirement, and newer ones are insisting that these retention periods be disclosed at collection time. Organizations must develop and implement operational data retention programs to comply with these regulations and business necessities. 

While data breaches and the legal department's argument for data retention are both dealt with in other posts on the Exterro blog, the final section of this post will discuss privacy regulations.

The Changing Landscape of Privacy Regulation

Since the implementation of the GDPR in May 2018, domestic and international enterprises have seen an alphabet soup of privacy regulations pass legislatures and come into effect: CPRA, CCPA, PIPL, LGPD, PIPEDA, and more and more. Businesses have to navigate the patchwork of laws on their own as the landscape becomes more complex and fragmented. There is no easy way to get around it. Individual businesses must do their due diligence to determine which laws apply to them and comply accordingly.

Recent Enforcement Actions in New York 

The New York Department of Financial Services (NYDFS) recently updated their regulation to require entities to "document and maintain an asset inventory of systems holding their NPI." This inventory must track key information for each asset, including the owner, location, classification, support expiration date, and recovery time objectives. The risks for failure to do so are substantial.

In one case in point, EyeMed suffered a significant data breach in 2020 due to a compromised email account. This breach led to unauthorized access to sensitive customer information, including medical data. EyeMed received significant financial penalties because of, among other things, its failure to delete data and enforce its retention schedule. EyeMed has so far received $7.6 million in penalties with potentially another $5 million on the way.

If you're looking to get started on a data retention program in a meaningful way, check out our Data Retention Handbook, recently updated for 2024.