Data Risk Management
No Longer a 'Nice-to-have,' Data Retention Is Now a Must-Have
Data retention, while once a nice-to-have for many businesses, has become increasingly important to legal and regulatory compliance—and is poised to become a major priority for businesses everywhere in the coming years. The acceleration of global data privacy laws (which have continued to increase since the EU launched the General Data Protection Regulation (GDPR) in 2018) has finally collided with the vast data stores held by organizations, meaning that it’s now a requirement for businesses to understand their data and defensibly delete unnecessary information.
Amy Olivares, Manager of Corporate Governance & Compliance for manufacturing firm Oregon Tool (formerly known as Blount International), understood the impact that the GDPR would have on their data retention practices almost immediately.
“That was one that I quickly escalated to our senior leadership team—that the GDPR was not [just] a European thing,” says Olivares. “It was not going to go away and there would be a domino effect in other countries. I knew we really needed to get started sooner rather than later so that we weren’t stuck playing catch-up.” In her role, Olivares monitors the regulatory landscape. She knew their team was incapable of creating a new European framework while thinking about other locations as they arose. Rather, the approach was to have a global lens because the resources to support multiple processes were lacking.
“In a nutshell, it was my role to provide that awareness and develop that roadmap,” says Olivares. “We had a manageable, phased approach because we couldn’t just say ‘this is everything we need to do and we need to get it done within this time, period,’ or I would not have buy-in—I would have burn-out. I rely on a lot of other resources, so I really needed to make sure it was bite-sized manageable pieces as we phased through the process.”
Olivares first looked to Oregon Tool’s old retention schedule, but found that it was too complicated.
“It was pages, and pages, and pages of records that we expected our employees to scroll through and then search for their particular record to identify the retention period,” says Olivares. “It’s just not sustainable. It wasn’t intuitive. And then to go through that process over and over, because once we created a retention schedule it was just a snapshot in time. We realized we needed some kind of living, breathing document.”
Establishing True Compliance Through Technology
As Olivares took stock of what she had in Oregon Tool’s data retention schedule, she realized there was no visibility, which would be necessary for reporting to EU regulators.
“We lacked the ability to demonstrate our compliance efforts and that we’re actually following our retention schedule,” says Olivares. “That was when I reached out to Exterro to help resuscitate the retention policy and schedule. How can I have better visibility and actually create a record management program and not treat it as a project, but more of a program? After that, I was able to achieve that visibility oversight and the accountability.”
Her first objective was to understand her data and why they were keeping what they stored—to truly know their data. As part of their initial efforts to comply with GDPR, Olivares undertook a data mapping exercise, only to realize that she needed automated retention capabilities.
“I mentioned this isn’t a ‘nice-to-have’—it is ‘we must have this,’” says Olivares regarding conversations with executives.
“We cannot sustain manual processes. We just don’t have the bandwidth. Now, with the Exterro platform, I have it all in one: an up-to-date data inventory with the retention schedules, and the platform just ties them together nicely. And that, for me, was really the ‘a-ha’ moment that it was all encapsulated in one. You have the true lifecycle of the record all the way from initial collection. You have all of the elements you need to comply under the GDPR and other privacy frameworks.”
Olivares says that the ability to see reportable data has been transformational in how her team is able to comply with major regulations through better understanding and implementation of best practices.
“It really painted a picture,” says Olivares. “You are able to see how the information is actually being retained, what the businesses reason is, etc. The reporting really helps in some conversations where we didn’t document the business need or requirement, and that really helps to identify some of the higher risk data and processing activities.”
Overall, Oregon Tool Inc. and Olivares say that their visibility and data hygiene practices have vastly improved, including now tracking off-site records that may have been sent to vendors or other third-parties.
“Having that visibility and having that regular cadence for data destruction is going to be very, very important for us—and, in the future, a cost savings,” says Olivares. “We’re not paying as much for the monthly storage fees and we’re actually being more active in terms of ensuring those records are destroyed.”