Ad Image
Creating a Personal Information Retention Justification Process

Creating a Personal Information Retention Justification Process

- by Mark Diamond, Expert in Data Management

How long can personal information be retained? While global privacy laws do limit the retention of personal information, this does not mean that personal information must be deleted after only a year, for example. Organizations should establish a business justification process which documents the legitimate need for personal information retention. At a minimum, such a process shows good-faith effort at following the rules.

Companies should take a “goldilocks” approach in determining this retention. It need not be too short, nor too long, but rather following a middle period based on reasonable justification:

Personal Information Must Be Retained at a Minimum for Legal and Regulatory-driven Record Retention Periods – Legal and regulatory recordkeeping requirements trump privacy rules. In the example from the previous section, California requires that “any and all applications, personnel, membership, or employment referral records and files; personnel files of applicants or terminated employees” be retained for four years. As such all such records such have a minimum four year retention after the records/files are initially created/received, or four years after the date the employment action was taken. Records retention requirements serve as a “low water mark” retention period.

Companies May Retain Personal Information for a Longer Period Through Business Justification – There are many instances in which companies have a legitimate business need to retain personal information longer than legal and regulatory requirements. Personal information may be retained for these longer periods, so long as there is a reasonable business justification. This justification should be documented in the data retention policy.

Business Justification Must be Reasonable – The ability to save personal information through a business justification process does not give license for an organization to save personal information longer than reasonable. For example, many companies have significant stores of personal information saved in data warehouse and other similar types of applications, some which contains personal information which may be literally 10 or 20 years old. (See box below). While this personal information may be useful for marketing purposes, it is difficult to see how this retention would be needed for business purposes supporting the sales to a customer.

Take a look at our white paper, Developing a Data Retention Policy to Meet Privacy Requirements.

Mark Diamond

Expert in Data Management

Mark Diamond is CEO of Contoural, the largest independent provider of Records & Information Management and Litigation Readiness Consulting Services. He is also Founder and program administrator of the Association of Corporate Counsel Data Steward program, the industry-leading law firm and legal service provider information security assessment, benchmark and accreditation program.

Latest posts by Mark Diamond (see all)

Expert in Data Management

Tagged

Top Posts & Pages

  • The Future is Now: It’s Time to Lead, Not Wait to React

    The Future is Now: It’s Time to Lead, Not Wait to React

  • Data as a Business Weapon: How Your Competitors Are Using Data to Crush You and How You Can Fight Back

    Data as a Business Weapon: How Your Competitors Are Using Data to Crush You and How You Can Fight Back

  • From AI to Digital Transformation: The AI Readiness Framework

    From AI to Digital Transformation: The AI Readiness Framework

  • Should the Data Governance Manager be Responsible for Implementing an MDM Tool?

    Should the Data Governance Manager be Responsible for Implementing an MDM Tool?

  • AI is More Than ChatGPT

    AI is More Than ChatGPT

  • Finding Gold in the Glitches

    Finding Gold in the Glitches

  • From the TARDIS to the Bowling Alley: How Would Fiction’s Greatest Heroes & Villains Judge Our Real-World AI Revolution?

    From the TARDIS to the Bowling Alley: How Would Fiction’s Greatest Heroes & Villains Judge Our Real-World AI Revolution?

  • How Lotus 1–2–3 Changed the World

    How Lotus 1–2–3 Changed the World