CHALLENGES AND RISKS INVOLVED WITH DATA RETENTION
- data retention
- privacy by design
- retention schedule
The risks of over or under retention
Organizations want to be conscious of the legal guidelines that pertain to their personal data processing. Personal data have to be kept lengthy adequate to comply with applicable legal responsibility. The minimum or maximum retention periods may be dominated by the Laws. In contrast, scenarios laws might also no longer specify retention periods and establishments will want to judge for themselves a suitable retention period which they can justify.
What are the risks?
Organizations might expose themselves to risks if they keep personal data for longer than necessary, or indeed not keep it long enough.
1.1 Information security risks
The impact of a personal data breach could be significantly worse for an organization that is keeping personal data for too long. For example:
• the volume of records involved in the breach may be larger and could affect far more individuals.
• if a regulator investigates and discovers certain data concerned in the breach had been stored for longer than necessary, in breach of the law, enforcement action may be greater and doubtlessly more severe.
• damage to the organization’s reputation could be much greater.
• if the organization is a processor acting on behalf of a controller, it may also face legal action from the controller.
• there can be more queries or class actions on behalf of the people who have been affected. It is ought to increase complaints from people asking why their data has been stored for so long.
1.2 Legal risks
Legally defined data retention periods generally exist to shield the interests of people. While the law requires an organization to maintain personal data for a stipulated period, appropriate data must be stored at least long enough, to these legal obligations.
If an organization fails to hold records for the stipulated period, it exposes itself to the risk that it may not be able to comply with the pertaining laws and may also be undermining the interests of people.
1.3 Contractual or commercial risks
Certain personal data needs may additionally want to be held to meet contractual or commercial terms, such as:
• personal data collected as part of a sale, or to provide a service between an organization and its customers.
• personal data necessary for ancillary products or services, and to substantiate guarantees or warranties
• personal data which is encompassed between a data controller and its processor, within a contract.
The risks linked in not maintaining this data comprise responding to complaints or litigation from customers, or regulatory enforcement.
1.4 Customer expectations
Organizations will be expected to process customer’s data to respond to their needs, such as:
• answering customer service queries;
• responding to complaints; or
• changing their preferences.
In situations where there is no applicable law concerning the retention period for personal data, an organization will nonetheless need to keep it for a stipulated period to meet its customers’ reasonable expectations. Similarly, once a customer contract ends, or lapses, a customer might not expect an organization to store their personal data any longer. Suitable retention periods must balance the rights of all parties and their interests.
1.5 Reputational risks
All the above risks could also result in reputational damage for an organization that fails to meet its legal obligations, contractual obligations, or customers’ expectations
1.6 People and process challenges: winning hearts and minds
Examine how to get support from senior leadership.
• You will need to confirm who makes the final decision on data retention periods and who supports them to implement these periods.
• Agree on the best approach by consulting with your stakeholders.
• Change is inevitable, so adopt a flexible approach.
• Internal awareness – consider how best to communicate your data retention policy and schedule across the teams who manage personal data and the technology teams who will support them with the systems.
• External transparency – consider how to notify your customers/clients/supporters about how long you will keep their data, for example, in your privacy notices. How much detail will you give about specific retention periods?
You will need to build strong relationships with data owners, but also with your technology team – particularly those who are responsible for the IT systems which hold the data.
To encourage people to help you to implement successfully, you will need to build strong relationships with your stakeholders. Help your colleagues understand data retention and how you have made decisions.
You will need to be able to clearly state the benefits of implementing data retention policies and practices so that data retention becomes part of a wider topic of ‘How do I use this information to drive my business forward.
1.7 Technology challenges
You may face some real situations whilst trying to roll out the data retention policy and schedule, for instance:
• legacy systems may be inflexible and sometimes they have limited data destruction capabilities.
• decommissioned systems, or systems due for decommission, may still hold personal data which will need to be destroyed.
• data held on backups.
• business continuity risks (such as if you need to restore data that has been deleted).
How can DataOlogie help you?
We can solve your legacy and current data retention issues and support you in defining data retention policies, schedules and implement this in your organisation, so you have one less thing to worry about.
SCCs – International Transfers
What is the new SCC? Organizations subject to the EU GDPR are subject to Article 45 EU-DSGVO (with the exception of Article 45 EU-DSGVO (that is, unless they provide an "appropriate guarantee" within the meaning of Article 46 EU-DSGVO (with the exception)....
GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR
GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR On May 25, 2018, the European Union introduced the General Data Protection Regulation (GDPR) to ensure maximum data protection privileges for people across the European Union....
Data in Sports
Data in sports Data analytics in sports was first popularized by the efforts of Billy Beane during his reign as General manager of the Oaklands Athletics baseball team (also portrayed in the commercial film Moneyball). However, it’s a common practice now for...
Ring video doorbell : GDPR and Privacy – what homeowners need to know
Ring video doorbell : GDPR and Privacy - what homeowners need to know A recent case in the Oxford County Court highlighted the perils for homeowners of operating a Ring product to protect their properties. Ring products, such as smart doorbells and security...
Article 27 – UK & EU Representative services
Article 27 – UK & EU Representative services The UK entered a period of transition which ended on 31st December, 2020, as the Brexit uncertainty ended with the passing of the withdrawal agreement bill. Data controllers or processors are under the obligation to...
GDPR – Here’s What You Should Know Before Collecting Customer Personal Data
Data is everywhere and smart companies know how to use customer data to their advantage. If you regularly harvest customer data to understand consumer patterns and for remarketing purposes, you must know about the rules and regulations that protect customers from...