
Data minimization is the practice of limiting the collection, use, and retention of personal information to only what is necessary for a specific purpose. Over the past several years, as consumer data privacy regulations have really taken hold, collection minimization and use minimization have gotten markedly better as companies are required to identify the personal consumer and employee information they are collecting and how they are using the information. That is definitely a positive.
However, implementing data retention seems to be lagging behind. Most companies are classic data hoarders. They don’t want to get rid of any data for fear that they will need it, or it will provide some magical insight down the road. Some companies haven’t bothered to create a data retention policy, and others have created the policy, but they just aren’t acting on it. If you are in the latter group, you need to push this forward and you can skip to Step 12 below.
This article is for those in the first group – companies that haven’t gotten around to creating a data retention policy. I would argue that data retention is the most important aspect of data minimization. Corporate data retention policies serve as a roadmap for organizations to comply with data minimization provisions. These policies define the types of consumer data collected, the purposes for which it is collected, and the duration for which it will be retained. By establishing clear guidelines, organizations minimize the risk of accumulating unnecessary data, keep their datasets clean and manageable, and lessen the impact of potential privacy breaches or regulatory violations.
Creating a data retention policy is not easy, but it is relatively straightforward and generally follows these steps:
1. Identify the larger categories of data the company holds (customer data, transaction data, financial data, employee data, legal and compliance data, etc).
2. Define the retention period for each category based on company preference or applicable laws.
3. Identify the uses of the data.
4. Identify the locations of each category of data (files, database tables, etc).
5. Identify responsible parties.
6. Establish procedures for data disposal.
7. Establish a schedule for disposing of data that is older than the retention periods.
8. Communicate the policy and procedures.
9. Setup an audit plan to ensure disposals are happening.
10. Document the basics of your retention policy for consumer data in your external Privacy Notice.
11. Build a process for adding new data sources to your retention policy.
12. DISPOSE OF THE DATA BASED ON YOUR POLICIES AND DEFINED SCHEDULE.
13. AUDIT YOUR DATA RETENTION PROGRAM REGULARLY.
Ultimately, a well-defined data retention policy not only enhances data privacy and security but also fosters trust and transparency with consumers and employees. You will also be saving money on data storage costs, hours of system processing time, hours managing old data that will probably never be used and you will lessen the impact of privacy incidents. The benefits far outweigh the slim possibility that the data might provide insight down the road.
Comments