29 DECEMBER 2020
Whether you call it personal information, personal data, or personally identifiable information (PII), the data that your organization collects on clients, customers, and users is vital to your operations as well as to regulatory, litigation, and consumer responsiveness.
Yet, as data privacy laws and data retention requirements evolve, organizations must not only keep up with the latest changes, but also cope with a fundamental conflict: privacy laws and retention requirements often contradict each other.
So, how can your organization comply with data privacy laws and the need to retain data? Effective information governance (IG) allows you to operationalize the processes of data disposal and retention — helping your organization balance the requirements of both data privacy laws and data retention regulations.
Unlike the European Union, with its General Data Protection Regulation (GDPR), the United States does not yet have general consumer data privacy and security laws at the federal level. Lacking a federal policy, many states have taken it upon themselves to pass their own cybersecurity or data privacy laws to protect the personal information of state residents.
In 2019, for example, New York State passed the SHIELD Act, which expanded an earlier cybersecurity law in areas including new requirements for the disposal of personal information. In November 2020, California passed the California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA) that went into effect earlier in the year.
In addition to different state laws, a variety of industries have their own data privacy and record retention regulations. For instance:
These multiple layers of evolving regulation add to the complexity of complying with data privacy laws and meeting data retention/disposal obligations.
What do the data privacy laws have in common? Most include some version of the basic requirement that if you are no longer using people’s personal information for the purpose for which it was collected, you should dispose of it. The problem is, so much of that directive is subject to interpretation.
What does “using” data actually entail? How broadly or narrowly can the purpose for data collection be defined? And what timeframes or other considerations pertain to data retention and disposal?
Some data privacy laws provide some guidance on the purposes for which an organization can collect information, much in the same way the GDPR’s “legitimate interests” specify six lawful bases for processing personal data. However, the guidance is often very limited or so specific that organizations decide to default to a broader approach — namely, they ask each client/customer/user to consent to the collection of whatever information they need.
But even when you have a legitimate interest or get consent to collect data, the laws still limit what you can do with that information. You simply cannot collect data for one purpose and then arbitrarily decide to use it for another purpose.
In an added twist, the obligation to dispose of personal information does not relieve organizations from other requirements to retain data. The result is a number of circumstances where whether to retain or dispose of records may not be clear. For example:
In regulated industries, such as financial services, there are often strict requirements to retain records of transactions and communications with customers — things that often contain full names, account numbers, and other PII — for a certain length of time depending on the type of record.
Therefore, even if you no longer need the information of a former customer and it would ordinarily be subject to disposal under data privacy laws, you may still be required to retain the information for compliance with industry regulations.
You may have a legal obligation such as a court order or regulatory enforcement action that requires you to put records on legal hold. That means you cannot dispose of information until the order or action is resolved and the hold is lifted.
This is an area where the use of collected information may be subject to interpretation. If data was collected for a particular purpose but the information can continue to be useful in analyses that will help you run your business, there may be a case for retaining the information.
Having clients, customers, or users in different states may affect how you handle data retention and disposal. Since data privacy laws apply to a state’s residents, simply doing business with them — whether or not your business is physically located within the state — means you must abide by the state’s privacy laws in regard to a resident’s personal information. Additionally, financial and industry regulations vary by state.
So while it’s great to have a wide geographic reach, it adds complexity to the task of managing data retention and disposal.
The dilemma in retention vs. disposal situations is, which laws take precedence? While the general tendency is that retention requirements trump disposal requirements, it is a decision that each organization has to figure out for itself.
It is tempting to err on the side of retaining data rather than risk disposing of it too soon and violating retention requirements. But often the result is that organizations over-retain data, which can:
Organizations that ignore data privacy laws and the need to comply with data retention regulations are at risk of big fines. Failure to implement proper data disposal and retention policies also has an impact on an organization’s ability to respond to legal actions or consumer privacy rights.
An IG program provides a structure for managing and maintaining your data disposal and retention needs. It identifies where personal information is stored, making it easier to find the data you need, when you need it.
For example, data privacy laws give consumers the right to know what personal information an organization has collected on them, obtain a copy of the information, and even ask for deletion or correction of the data, via data subject access requests (DSARs).
Without good governance that clearly tells you where information is, your organization would have to go on a scavenger hunt every time you get a DSAR. Additionally, an IG program makes it easier to find information in response to legal holds, audits, and other investigations — making it a methodical and easily managed process.
Disposing of data also makes your data privacy job easier, and IG helps you implement a defensible disposal process that balances the requirements of data privacy laws and other regulations. With a method for identifying and getting rid of information you longer need, your organization becomes a smaller target for hackers and cyberintruders — improving security while protecting data privacy.