The risks of over or under retention

Organizations want to be conscious of the legal guidelines that pertain to their personal data processing. Personal data have to be kept lengthy adequate to comply with applicable legal responsibility. The minimum or maximum retention periods may be dominated by the Laws. In contrast, scenarios laws might also no longer specify retention periods and establishments will want to judge for themselves a suitable retention period which they can justify.

What are the risks?

Organizations might expose themselves to risks if they keep personal data for longer than necessary, or indeed not keep it long enough.

1.1 Information security risks

The impact of a personal data breach could be significantly worse for an organization that is keeping personal data for too long. For example:

•           the volume of records involved in the breach may be larger and could affect far more individuals.

•           if a regulator investigates and discovers certain data concerned in the breach had been stored for longer than necessary, in breach of the law, enforcement action may be greater and doubtlessly more severe.

•           damage to the organization’s reputation could be much greater.

•           if the organization is a processor acting on behalf of a controller, it may also face legal action from the controller.

•           there can be more queries or class actions on behalf of the people who have been affected. It is ought to increase complaints from people asking why their data has been stored for so long.

1.2 Legal risks

Legally defined data retention periods generally exist to shield the interests of people. While the law requires an organization to maintain personal data for a stipulated period, appropriate data must be stored at least long enough, to these legal obligations.

If an organization fails to hold records for the stipulated period, it exposes itself to the risk that it may not be able to comply with the pertaining laws and may also be undermining the interests of people.

1.3 Contractual or commercial risks

Certain personal data needs may additionally want to be held to meet contractual or commercial terms, such as:

•           personal data collected as part of a sale, or to provide a service between an organization and its customers.

•           personal data necessary for ancillary products or services, and to substantiate guarantees or warranties

•           personal data which is encompassed between a data controller and its processor, within a contract.

The risks linked in not maintaining this data comprise responding to complaints or litigation from customers, or regulatory enforcement.

1.4 Customer expectations

Organizations will be expected to process customer’s data to respond to their needs, such as:

•           answering customer service queries;

•           responding to complaints; or

•           changing their preferences.

In situations where there is no applicable law concerning the retention period for personal data, an organization will nonetheless need to keep it for a stipulated period to meet its customers’ reasonable expectations. Similarly, once a customer contract ends, or lapses, a customer might not expect an organization to store their personal data any longer.  Suitable retention periods must balance the rights of all parties and their interests.

1.5 Reputational risks

All the above risks could also result in reputational damage for an organization that fails to meet its legal obligations, contractual obligations, or customers’ expectations

1.6 People and process challenges: winning hearts and minds

Examine how to get support from senior leadership.

•           You will need to confirm who makes the final decision on data retention periods and who supports them to implement these periods.

•           Agree on the best approach by consulting with your stakeholders.

•           Change is inevitable, so adopt a flexible approach.

•           Internal awareness – consider how best to communicate your data retention policy and schedule across the teams who manage personal data and the technology teams who will support them with the systems.

•           External transparency – consider how to notify your customers/clients/supporters about how long you will keep their data, for example, in your privacy notices. How much detail will you give about specific retention periods?

You will need to build strong relationships with data owners, but also with your technology team – particularly those who are responsible for the IT systems which hold the data.

To encourage people to help you to implement successfully, you will need to build strong relationships with your stakeholders. Help your colleagues understand data retention and how you have made decisions.

You will need to be able to clearly state the benefits of implementing data retention policies and practices so that data retention becomes part of a wider topic of ‘How do I use this information to drive my business forward.

1.7 Technology challenges

You may face some real situations whilst trying to roll out the data retention policy and schedule, for instance:

•           legacy systems may be inflexible and sometimes they have limited data destruction capabilities.

•           decommissioned systems, or systems due for decommission, may still hold personal data which will need to be destroyed.

•           data held on backups.

•           business continuity risks (such as if you need to restore data that has been deleted).

How can DataOlogie help you?

We can solve your legacy and current data retention issues and support you in defining data retention policies, schedules and implement this in your organisation, so you have one less thing to worry about.