close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

Step Five Align Data Retention Policies

At this point, you have a working understanding of what data you have, where it is, and why you have it. This is a good time to turn to your data collection and retention practices.

Today’s data-driven economy incentivizes businesses to collect and hold more data for some future possible value. These inclinations conflict with the principle of data minimization enshrined in the GDPR, CCPA 2.0, and other modern privacy and data protection frameworks. For example:

  • GDPR Article 5©: “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’)”
  • CCPA/CPRA § 1798.100©: “A business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed…”.
  • Virginia CDPA § 59.1-578(A):: “Personal data processed by a controller… may be processed to the extent that such processing is reasonably necessary and proportionate to the purposes listed in this section; and Adequate, relevant, and limited to what is necessary in relation to the specific purposes.”

Applying data minimization is an essential part of privacy by design. Data minimization is the way by which you step back and ask, “What data is essential to collect? When? What’s meaningful to keep? For how long?”

  • Business value: Knowing what information is critical to your business activities, and when to collect it positions your business to use data more efficiently. Work across your organization to arrive at sensible, minimally viable baselines. Payroll needs personal bank account numbers, Marketing doesn’t.
  • Complexity as risk multiplier: Reducing the sheer volume and variety of collected personal data reduces oversight complexity. Less information means less storage and backup overhead. It also means being a smaller target for cybercriminals.
  • Consumer expectations: Consumers expect companies to use their data for the purposes for which it was originally collected, or for closely related purposes.
  • Retention obligations: Businesses have various legal retention obligations depending on the industry they operate in. Banking, financial record integrity, tax, and labor laws can prescribe minimum as well as maximum retention periods. Contractual agreements between businesses can also stipulate minimum/maximum periods.

Regularly reviewing your data practices against business needs and retention commitments is par for the course. This step protects your company against significant data accumulation and ensures your organization thinks about its data lifecycle, from collection to destruction.

Privacy teams should work with Legal to understand applicable retention requirements, and to document these parameters in a data retention policy & schedule.

Check Out the Data Retention Policies of Top Tech Companies

Right-sizing your collection and retention practices can translate to other privacy operational efficiencies. For example, the CCPA 2.0’s right of access has an expansive "look-back provision." To respond to an Access request, organizations need to know the personal information they collected, used, sold, or shared about an individual going back 12 or more months from the time of the verified request. When combined with CCPA 2.0’s data minimization and collection limitation requirements, there’s an incentive for California businesses to trim their data footprint.

icon

Bottom Line:

Post-GDPR, data hoarding is more than unlawful. It’s a burdensome hazard. Proportional, needs-based collection, storage, and retention means less to track, report, and pay storage tariffs on, and less temptation for bad actors. A written retention policy benefits any privacy program.

How to Get Started

icon

Live Data Map in DataGrail is the start to understanding how the data you have relates to your business activities.

In parallel, Request Manager connects to cloud-based storage so you can protect personal customer data.

We support Amazon S3, Google Cloud Storage (GCS), and Microsoft Azure Blob. Request a demo to learn more about how we work with other providers.

icon

Request a demo to learn more about adding retention-related questions to your Live Data Map inventory system reports.

We can also refer you to trusted policy documentation and retention requirements specialists.

icon

Connect with other pros (free) to talk about data collection and retention best practices. Join the Privacy Basecamp Community.