Companies that vastly over-retain records and information containing personal data face a costly discovery and regulatory nightmare under CCPA and other data privacy regulations. Having a systematically enforced data retention and minimization program is no longer just a good idea. Data minimization is a fundamental privacy principle and is required for compliance with nearly all data privacy and cybersecurity regulations from GDPR, to NYDFS to CCPA.
As new data privacy and cybersecurity regulations continue to pop up (state, federal, and international), companies must pay close attention to data retention and deletion requirements. In order to appropriately comply with data access requests, you must have a handle on what data you have, why you have it, and when you should destroy it.
Data you don't have can't be breached.
You don't have to protect data you don't have.
You don't have to spend time and money searching for and producing data you don't have.
Companies are required to understand their legal and regulatory obligations for retaining and routinely disposing of records that contain personal data. Out-of-date retention standards, lax enforcement, and inconsistent practices will prove costly – either in penalties levied by regulators or in litigation.
In a recent article on CCPA provisions, representatives from Jackson Lewis discussed data retention/deletion requirements as they may relate to employee data (referred to here as Workforce Member to signify the broad spectrum of individuals who retain rights under CCPA's definition of "consumer")
While most employers are probably not selling Workforce Member data, having to delete Workforce Members’ personal information could be a significant challenge. Being in a position to carry out this obligation requires knowing where the data is to be deleted. It also means knowing which vendors maintain the data so they could delete it as well. Thus, some kind of inventory or data mapping exercise would be needed to track the data and answer some basic questions such as what data is maintained, why it is maintained, and where it is. Knowing why the data is being maintained is important because employers would be able to push back on deletion requests if the employer, for example, has a legal obligation to retain it. In short, employers may need more sophisticated data governance practices in order to manage this and other rights concerning the data that Workforce Members may have under the CCPA and similar laws. - Jackson Lewis
Could a demand for all documents pertaining to a specific data subject (employee, job candidate, former employee, customer, etc.) expose your over-retention of personal data? Is your company tightly controlling adherence to retention standards? Are your standards up-to-date? Can you demonstrate compliance with your information governance, data retention and disposal directives?
Eliminating unnecessary data reduces costs, risks, and makes the process of finding critical, relevant information easier – for data access requests for CCPA compliance as well as during litigation. You should only maintain information that has a legitimate business or regulatory purpose. So where do you start?
First and foremost, you have to know what data you have, why you have it, where you have it, who has access to it, and how long you need to keep it.
Our process is straightforward and proven:
Develop a data inventory. Identify and classify your records and information.
Implement and enforce a retention policy. Your retention schedule should be informed by applicable regulations and industry standards. Once the schedule is in place, apply it to all existing records. You will instantly delete massive amounts of data. Our research shows that an average of 70% of records retained by organizations have no identified deletion date. With no destruction date, your company will likely maintain these boxes in storage indefinitely. Not only does this equate to significant financial waste, it also creates huge risk with regards to privacy, security, and legal obligations
Communicate policies and train employees. Policies that are not put into practice are useless. Teach your employees the purpose and significance of records retention schedules.
Trust, but verify. Audit to ensure compliance. Regular auditing can identify vulnerabilities in your process and prevent a $7.91 million mistake (the average cost of a data breach in the US in 2018).
Contact us to learn how our clients leverage technology to save significant time and money in this process while increasing defensibility and eliminating the hassle.