A little noticed provision of new consumer privacy laws in California and Virginia, effective January 2023, is the need for detailed data retention schedules and defensible destruction programs. Partner Alan Friel and Counsel Kyle Fath joined data management professionals on a recent panel at the International Association of Privacy Processional’s annual summit to explain these new requirements and how to prepare for them. You can watch the recording for free here: Trim Costs, Reduce Risks and Improve Compliance: Data Retention the Right Way
Data retention is poised to become one of the biggest topics for legal, compliance, and privacy professionals in 2021. A combination of regulatory factors, including litigation and enforcement risk of over-retention of data and explicit data retention and purpose limitation provisions in privacy regulations, have driven this issue to the forefront. In order to address the issues and risks presented by the ever-growing regulatory framework, companies must act now and adopt proper data inventory practices and retention policies and procedures that will enable them to take these legal requirements head-on, now and into the future.
First, litigation and enforcement risks are and will continue to be relevant as organizations consider their data retention practices. Second, by 2023, alongside the GDPR’s data minimization requirements, U.S. data privacy legislation will require specific disclosures regarding data retention periods. Finally, purpose limitation – processing data only for purposes that are compatible with the original purpose for collection – effectively becomes a global requirement when the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA) come into effect a short 18 months from now. With all these considerations in mind, organizations should begin implementing and maintaining proper data retention and minimization policies and procedures sooner rather than later.
Litigation Risk and Operational Headaches with Over-retention of Data
There is an ongoing shift in thinking regarding the retention of data from a value and cost proposition, from a position of “all data has value and the costs of data storage are low and shrinking” to a risk-based analysis. There is a general recognition that data retention presents risks from a litigation and enforcement perspective. In a case based on Illinois’ Biometric Information Privacy Act, the Seventh Circuit recently concluded that simply holding the data longer than the specified retention period, even when no breach or other use had occurred, was privacy harm (Fox v. Dakkota Integrated Systems). Outside of these current risks, the general trend is that privacy legislation will continue to advance, both within the U.S. and around the world, thereby increasing these litigation and enforcement risks. As additional regulation advances, regulators and consumers will demand concrete actions from organizations with whom they share personal and sensitive data, including its timely disposal. The data retention obligations in CPRA are taken almost verbatim from GDPR. The recently passed CDPA includes some similar language and advancing legislation in India and elsewhere and continues this trend.
In addition to the litigation risk, over-retention of data will present operational headaches for companies in responding to data subject requests. For CPRA, it is worth noting that most of its requirements apply to data collected after January 1, 2022, though the “lookback period” for access requests may be extended by regulations beyond a year. The CDPA does not include a defined lookback period, which companies should consider when implementing a retention policy. Companies that over-retain data will have to search through years and years of unstructured data when the CPRA’s (and CDPA’s) subject access and other rights requests come into force, with extended limits (or without any limits) on how far back companies must go to find a consumer’s data.
New and Existing Data Retention Requirements
Second, companies must comply with specific provisions in privacy law that address data retention, such as GDPR, forthcoming CDPA and CPRA, and advancing legislation in India. Companies that are subject to the GDPR are familiar with its requirement that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” The CDPA’s data retention provisions are not as explicit, but read closely, the forthcoming Virginia law does not permit storage of personal data for use beyond the originally disclosed purposes (subject to certain exceptions). The CPRA not only prohibits covered businesses from retaining personal information longer than it is needed, but also requires a clear statement at the point of collection regarding how long personal data will be retained. This statement must be very specific for each category of personal and sensitive information. The requirement to make the specific retention policy visible to consumers every time their data is collected is likely to create far more exposure to the retention practices of organizations. This visibility will create more accountability as consumers and regulators demand retention programs be carried out in the manner disclosed.
Purpose Limitation Requirements
Third, there are the more stringent purpose limitation requirements. The CPRA’s and CDPA’s purpose limitation provisions are taken almost verbatim from GDPR and insist that data only be used for the purposes disclosed at the time it was collected, and they demand that it be deleted once that purpose has been fulfilled. They also make it clear that it cannot be used for another purpose, effectively eliminating the often used excuse of “keeping it around in case they need it for something else.” The CPRA and CPRA will join the GDPR in specifically prohibiting these types of activities.
How Organizations Can Address Data Retention Now and For the Future
Data retention is hardly a new topic in most organizations. Most companies likely have data retention and disposal policies, as well as a communication program to notify relevant stakeholders of the same. Often, however, these policies are not carried out and sit on the shelf for a variety of reasons. Either implementing the data retention program has never been a priority, the company does not have the proper resources, or senior management has not bought into the idea. With the changing regulatory landscape in mind, organizations should act to address their data retention obligations, regardless of whether they have a mature and operational program in place or nothing at all, or something in between.
Data Inventory – The First Step
A complete data inventory is the essential first step in creating an operational data retention program. It allows the organization to understand the data it has in business and technical terms. It also clarifies the business records and how they are used. This inventorying process must be highly flexible and be capable of identifying both structured and unstructured data of all types and from a variety of sources because the risks associated with the data do not vary by the storage medium. Moreover, the inventory must allow identification of information not only for retention/deletion, but also in a way that allows organizations to address other compliance obligations, such as to identify data collected and shared with third parties, on a category-by-category basis and to respond to data subject requests in a similar way. The inventory must be capable of managing the entire set of data of any type in any location and in any form, and the process be extensible and repeatable so it can drive the continuous collection of information about the data across the entire portfolio of information, including new data and data types that a company collects in the future. This data inventory must also be more than just a list of databases, data locations, and types because a data retention program must enable the organization to remove data where warranted in a systematized way.
A strategy of gathering information from business users can seem daunting, but solutions that cover all types of data and both scan the databases to get technical information as well as query users to get contextual information do exist. Exterro Data Inventory is one such system. It offers automated data scans, as well as built-in, industry-specific assessments and a robust mechanism for administering them.
From an Inventory to a Retention Procedure
Creating an operational mechanism for data retention and disposal that addresses legacy data, but is also forward-looking, is more complex than it appears. This is particularly true regarding not only data privacy regulation, but also an organization’s other legal obligations with respect to data (e.g., minimum retention periods for tax purposes) . Unless the organization adopts an integrated legal GRC strategy, automating and linking its legal governance, risk management, and compliance activities, it is unlikely to have the proper visibility to create one. Data retention regulations deal with records (and in the case of the CPRA, specific categories), not databases. The same is true of business processes and requirements. Building a record retention schedule requires merging jurisdictional regulations, business requirements, and established practices. This determines a process that must meet business obligations, serve cross-jurisdictional needs, and account for system limitations. This records retention schedule then must be translated by the system into a schedule of data operations and mapping it to the specific data underlying those records. Only in this way can it be truly operational. The legal department and other stakeholders must be intimately involved in the process to ensure that data retention, legal hold, data subject request response, and investigation procedures are integrated to avoid the significant consequences of deleting data that is involved in investigations or litigation or under some other retention obligation.
Action is Urgent
If the relevant provisions of CPRA and CDPA do not go into effect until January 1, 2023, then why is it necessary to begin now? While a year and a half or so sounds like a great deal of time, the actual process of updating or creating a comprehensive data inventory, as discussed above, is likely to be a significant task. Even with a reasonably complete map of data sources, linking business records to data requires substantial business exploration and can be a very time-consuming step even with automation in place to help. Finally, the retention schedule must be put in place, and the deletion mechanisms and processes agreed upon with the relevant stakeholders.
What Exactly is Meant by Deletion?
There is a common understanding that, depending on the type of data involved, data disposal (also referred to as “data deletion”) does not always necessarily involve the erasure or deletion of data in the literal sense. Indeed, data privacy regulations are flexible and allow for different approaches, including erasure/deletion, de-identification or aggregation of data. While organizations are afforded flexibility in most cases as to their method of deletion, they should ensure both proper communication amongst, and proper separation of, business functions to prevent unexpected consequences on IT systems as a result of policy changes. That said, development of a retention/purge policy that reflects GDPR, CPRA, and other legal requirements requires considerable legal input, since it is justified to keep data if required by law or for legal defense purposes (statutes of limitations, etc.). Likewise, the development of workable retention/purge schedules requires detailed legal reviews. Over time, these rules can generally be used to replicate processes, but initial development of the “bottom line” rules for the various categories of data is a matter where a number of stakeholders, legal and IT alike must have a seat at the table.
It is clear that data retention is a critical component of privacy compliance and is useful in minimizing other types of data risks. Organizations should evaluate their data retention programs and update them to reflect the current and forthcoming regulatory requirements.