Data Retention Best Practices in a Time of Data Privacy Laws

Published On February 27, 2020

The California Consumer Privacy Act (CCPA), which went into effect at the beginning of 2020, and other data privacy laws in place or being contemplated underscore the need for organizations to adhere to data retention best practices now. Even if an enterprise is not currently subject to data privacy laws, they likely will be in the not-too-distant future. Plus, the current laws are establishing new data retention best practices in some measure.

Why Pursue Data Retention Best Practices Now?

At one time, not much thought was given to the length of time that data was retained. Sure, maximum storage capacity was necessary to align with the requirements of litigation or other legal actions that called for keeping information on hand, but no one back then would have been embarrassed if they were accused of being a data hoarder.

Consumer privacy laws like California’s and others, along with some well-publicized, expensive and embarrassing data breaches, serve as a reminder to engage in good data privacy hygiene. Part of those good practices, of course, involves data retention. Today, no one should really keep data around longer than they need it (or are legally required to maintain it).

This is especially true for data containing highly sensitive private information, especially for highly sensitive data like health records. Moreover, organizations should update their data retention policies and procedures to reflect current laws and approaches to information management.

Data Retention Best Practices Does Include Paper

In this age of online accessibility, it’s easy to overlook the fact that many, if not all, organizations still maintain non-digitized records. Indeed, the CCPA addresses data on paper that’s not buried within a computer file. Proposed rules implementing the CCPA law address offline business practices often.

Because searching for an individual’s information on paper can be time-consuming as well as challenging, organizations should include data migration for offline records as a best practice to make material easily searchable. Such an initiative might also include transitioning data from obsolete formats to current ones.

Address Data Retention and Privacy Together

Dealing with privacy concerns and managing data retention practices should not be siloed efforts. Records management from inception through disposal minimizes the collection of too much personal information, which should decrease the long-term (and perhaps vulnerable) storage of such information when it’s no longer needed or used. Managing data retention and privacy together is now considered a best practice.

In the past, records and information management teams focused on retention while separate privacy teams managed privacy policies. Since then, the two functions have combined, and collaboration between these teams should be part of an organization’s operational outlook.

Appropriately handling private information should be part of each life stage for all types of data. Employees may need refresher training that addresses the responsible collection and use of personal information, as well as retention and disposal practices that reflect current privacy requirements.