Laying the Foundation for Defensible Data Management and Retention
Laying the Foundation for Defensible Data Management and Retention
An Exterro and Squire Patton Boggs Case Study
Verra Mobility
Headquarters: Mesa, Arizona
Industry: Transportation
Established: 2016
Employees: c. 1500
Verra Mobility is a global leader in smart transportation, making technology that supports the world’s transportation infrastructure, making it easier and safer for people, commodities, and products to get where they need to be on time and safely. Their products support smart roadways, transportation grids, and transportation fleet management, including toll and traffic management technology like photo enforcement and red lights and on-vehicle products that positively impact drive behavior and enhance road safety.
When Verra made the decision to become a publicly traded company in 2018, it knew it would be facing a wider range of more complex data retention policies. Since Verra had grown through acquisitions, its data landscape was complex, and the various data retention policies in place at the companies that helped them comply with the Sarbanes-Oxley Act were insufficient to meet the requirements of modern data privacy regulations. They needed to understand not only the data itself, but the purposes for which it had been collected, and whether it was still being used for that purpose. Then, and only then could they put into place retention policies that ensured data was kept only as long as it was needed for that purpose.
Paul Richardson, Director of Contracts and Compliance, was hired in 2019 to help Verra get its arms around the vast amount of data its constituent companies had collected. “Data is the lifeblood of our company,” he says, including human resources data, client data from entities like DMVs, traffic enforcement data, fleet transponder data, and more. At the time he was hired, there had been no updates to Verra’s data retention policies for three years—and those were three very busy years for privacy indeed. Internationally, GDPR had been drafted and enacted, and on the domestic front, CCPA had been introduced and passed into law—not to mention the additional requirements coming in 2023 from CPRA.
During those three years—and even prior—Verra had been over-retaining data, as frequently occurs at well-intentioned organizations. They held data that could be subject to data subject access requests (DSARs), such as that collected from government clients like Departments of Motor Vehicles. However, their cautious mindset wasn’t mitigating risk; in fact, it may have been unwittingly exposing Verra to increased risk. A gap assessment revealed that Verra had work to do upgrading their processes and capabilities around inventorying their data, implementing retention policies, and complying with the requirements of subjects’ rights to access their data.
Beyond the legal requirements, there’s a tremendous risk posed by security incidents. If there’s no continuing purpose for retaining data, all you’re doing is creating risk.Alan Friel, Global Co-Chair of Data Privacy, Cybersecurity, and Digital Assets Practice, Squire Patton Boggs
Bringing Expertise to Bear on the Challenge
The obligation to develop a comprehensive, modern data inventory and data retention policies fell to Paul, who reported to Verra’s General Counsel, and their data protection officer, who reported through the IT organizational structure to their Chief Technology Officer. They got executive buy-in for the project—with the condition being they didn’t slow down other teams’ ability to get their work done in Verra’s fast-moving corporate environment.
Paul knew he would need expert advice to gain a thorough understanding of the data Verra held and their legal and regulatory obligations around that data. He turned to Squire Patton Boggs and Alan Friel for help. They started to define the requirements of the project. They would need to understand what record types existed, the business processes supported by each record type, and the regulatory considerations governing them across the many jurisdictions in Verra’s international footprint. Then they would have to tie in records retention, beginning by disposing of data that no longer had a valid business purpose or regulatory requirement to be retained.
While Squire Patton Boggs had the expertise and knowledge of Verra to guide Paul through the project, they needed technology as well. Alan recommended that Paul use Exterro, and he agreed. The process they agreed upon covered all the bases. First, they would conduct interviews with data stewards and business process owners across Verra’s lines of business. They would use that information to create a draft retention schedule that explained the reasoning behind each decision. At that point, Paul and Squire Patton Boggs would identify key challenges that they would need to tackle and create a road map for them. The end product would be a record type master list that tracked all the different types of data to be dealt with, as well as policies and procedures that responsible parties could execute upon. Part of those procedures would be an update process to be conducted at least once a year to ensure Verra never again fell behind their retention obligations.
Exterro’s expertise in data retention projects came to bear right away. Conducting the survey wasn’t just a matter of asking questions. Exterro rapidly interviewed 135 custodians and business process owners—almost one in ten employees in the combined company. The process was geared to business people, not privacy experts, ensuring that institutional knowledge was captured. Subjects included SMEs, records managers, and business process owners across both functional and geographic data storage facilities, providing a comprehensive picture of Verra’s data landscape.
They ask the right questions—not just, ‘what’s your process, but how do your records relate to industry standards? To global standards?’ It puts you in a better position to defend your practices. We’re not just following this process because we think this is how to do it; we’re doing it because everyone else says this is how to do it.Paul Richardson, Director of Contracts and Compliance, Verra Mobility
Hitting the Target—Even While It’s Moving
Verra continues to grow rapidly, both organically and inorganically, posing complex challenges to the maintenance of the data inventory and retention schedule. During the Exterro/Squire Patton Boggs engagement, a recent acquisition doubled the size of the company, bringing in new data sources and types, as well as requiring compliance with regulations in new jurisdictions including Australian and Canada. The project continued on seamlessly.
As a result, Verra Mobility is instituting a centralized technology solution that provides visibility into the data, the regulatory requirements, and a retention process that’s operational. The Exterro solution checks all the boxes Verra defined. Their data retention program allows them to:
- Maintain data that is serving business purposes
- Anonymize data for business purposes that don’t require personally identifying information
- Retrieve data based on subject requests (DSARs)
- Provide a defensible audit trail for all retention decisions taken
- Customized retention schedules to suit different record types, business purposes, and jurisdictions
As much as the technology has accomplished for Paul, the project has also contributed to broader culture change at Verra. The organization is weaning itself off the mindset of preserving data because it might have additional use down the road—a recipe for creating risk. They understand that a retention schedule isn’t just a box to check. Team members have to understand the imperatives behind it and follow it.
“It’s a process,” Paul says. “We’re not going to create the perfect record retention schedule. This is going to be an iterative process. We're going to revisit this every year. As Verra grows, we're going to keep up with understanding what our records are, because there's always more to learn about.” All in all, he’s thrilled to have partnered with Squire Patton Boggs and Exterro. “When you embark on an endeavor like this, get an expert who has the tools and expertise to dive in. It’s going to take time to learn, but it would take you a lot more time to learn about what they do than it will for them to learn about you.”
Schedule a meeting today to see how Exterro Data Retention can help your organization with its compliance challenges.
