Is It Finally Time to Get Serious About Deleting Personal and Other Information?

Nearly all organizations create and retain personal information about individuals. New and emerging privacy regulations restrict the retention of this personal information to “no longer than necessary” for a legitimate business need. Under most privacy compliance regimes, individuals have the right to request that their information be deleted or erased. These new requirements are driving organizations to examine what personal information they store, where they store it, and to impose rules on how long they keep it.

Image

While many of these regulations have been active for several years, such retention and disposition requirements have not generally been meaningfully enforced. That is quickly changing. In Europe, companies are facing fines for over-retention of personal information. Additionally, many companies are getting ready for California’s enforcement as its privacy rules come into effect. Furthermore, the U.S. Federal Trade Commission has long encouraged/required a data minimization focus for organizations, through both its recommendations and enforcement activity.

When these laws first came out, many companies took a “wait and see” approach. That is quickly coming to an end. Enforcement of data minimization principles is driving new looks at existing processes. Organizations can use existing processes to appropriately manage the personal information lifecycle using the same tools as other information. What personal information to save, and for how long, should be addressed through the organization’s existing retention policies, both to demonstrate good faith efforts to comply with rules and to provide guidance to IT and other groups on what they can save.

Unfortunately, implementing data retention is not as simple as identifying where the personal information resides and then just telling employees to delete it. Other compliance requirements above and beyond privacy rules come into play. Records retention rules require that records be retained for a minimum period,

even if these records contain personal information. Relevant information under legal hold must be retained. All of these policies need to be applied consistently across data regardless of media, including structured database data, semi-structure emails, unstructured files and paper information. Perhaps most important, good data retention policies serve not only as legal policy, but also as a vehicle across the business for building a consensus on what to save and not save, and for how long.

For more information on complying the privacy laws and data minimization strategies take a look at our recorded webinar, Creating a Data Retention Policy to Meet Privacy Requirements.