Data Retention: Avoid Penalties with a Crisp and Compliant Approach
Follow this three-step approach to develop a data retention strategy that avoids fines, while protecting customer trust and brand equity.
By Donna Krivas and Michelle Wimmer
Within data privacy and data retention specifically, the fines are steep, customer trust and brand equity are on the line, and the regulations governing retention are varied and complex. Data retention has implications across the business: from sales and marketing, to information technology, to legal and compliance departments. Your company’s solution for a data retention approach will require a custom strategy to align to your organizational structure in the locations where your company does business as well as your goals and objectives.
Slalom has a three-step approach to help architect a data retention strategy to avoid penalties with a crisp and compliant approach.
1. Determine what data regulations apply to your company
Where you do business and where your customers are located matter when it comes to data regulations. Understanding not only the specific legislation for data privacy but also the industry legislation is imperative for a compliance data retention approach. Data discovery allows the organization to locate the data. If you don’t know where it is and what it is, the ability to effectively classify data is hindered. For example, a pharmaceutical company will need to focus on GxP regulations and PII data, while financial companies focus on SOX data. Utilizing the most common classifications — public, internal, confidential, and restricted — data can be meta-tagged with key words that may apply to specific regulations.
Different countries and even states within countries have developed separate and distinct regulations. If your business is international, this brings further complexities for determining how you will approach dealing with various regulations. If your company operates in the European Union and the United States, then the General Data Protection Regulation (GDPR) is triggered as well as the California Consumer Privacy Act (CCPA) and soon the California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA). GDPR under Article 5.1(e) requires data to be kept no longer than necessary for purposes for which the personal data is processed; there are no minimum data retention time periods, but rather a requirement that organizations hold data so it can be disclosed by the customer if requested. Contrast this to the CCPA, which has no specific requirement around data security. CPRA requires a business to not retain a consumer’s personal or sensitive information for longer than reasonably necessary for the disclosed purpose of collection. As well, CPRA requires businesses either at the time of or before collecting personal data to inform the person of the data retention periods (when possible or, if not possible, to disclose the criteria used to determine the retention periods). Under VCDPA there are data minimization requirements for businesses to have tight data retention and deletion requirements at the end of retention periods. As evidenced above, the regulatory landscape and compliance based on geography has its own set of unique complexities.
The industry in which you operate as well can add additional layers of complexity to your data retention strategy. For example, if your company operates in the United States in the payment card industry, then the Payment Card Industry Data Security Standard comes into play, which requires organizations to destroy any media that is no longer needed for business or legal reasons. Or if your company is in the education industry, then the Family Educational Rights and Privacy Act influences the retention of student records. Or within healthcare, banking, and other regulated industries, there are respective regulations to keep in mind.
2. Identify your key internal stakeholders and their goals and objectives
Your company will need to work with its internal stakeholders in records information management and legal to learn the organizational constructs for data retention. Marketing and sales goals for data retention are usually focused on growth and retention fueled by having the most comprehensive set of data. The privacy and compliance team is laser-focused on following the regulations to ensure your company is in proper compliance, whereas your information technology team may have altogether different goals for the storage and retention of data. By creating a subcommittee within your company and identifying the internal key stakeholders and associated objectives, you can design a model that aligns for achieving the overall goals that best suit the needs of your business.
3. Develop a sustainable customized strategy and governance model
A strategy will pinpoint the regulations that apply as addressed above as well as take into consideration the key stakeholders and business goals for your company. After taking these two main factors into consideration, a crisp approach to data retention will look to identify the recommended technology to leverage and develop and then refine processes and procedures for easy ways of maintaining proper data retention in a compliant manner.
Successful strategy and governance must include monitoring of the data, remediating violations, and establishing parameters to control consistent adoption.
With these three steps in mind, we can help your company create an action plan for the best data retention program tailored to your business. Let’s talk.
Slalom is a modern consulting firm focused on strategy, technology and business transformation. Learn more and reach out today.
