Avoiding Conflict Between Privacy Disposition and Records Retention

Most organizations already have existing retention guidelines in their records retention policy and schedule. Records retention laws and regulations may require companies to retain records for a certain number of years, driven by literally thousands of record retention regulations. These record retention requirements may override consumer deletion requests, even if the record in question contains personal information. For example, a customer of a financial services company may request to delete their personal information after they close their account, but recordkeeping rules require that this account information be retained at least seven years in most states.

The figure above lists California’s record retention requirements for retaining employee records. The next lists California’s CPRA requirement for retaining personal information for no longer than is reasonably necessary. How to handle the conflict? In many cases, the company’s business need for information is longer than the legally-mandated retention period – that is, the business utility of that information lasts longer than the legal utility. These examples are based on California law, but most privacy laws have similar requirements, resulting in similar potential conflicts with record retention requirements.

Data retention and disposition policies and strategies need to be synchronized with records retention requirements. Conflicts between the two can create non-compliance. As such, the most compliant, easiest, and smartest approach is to incorporate both into a single policy. Both sets of requirements aim to detail what information needs to be saved for how long. Putting them in a single document makes it easier. Of less concern is what the document is called. Some companies call it a data retention policy; others call it a records retention schedule. What it is called is not important. What matters is that data retention policies are records-enabled, and records retention schedules are privacy-enabled.

Finally, as is best practice, data retention polices should not be the product of legal and regulatory requirements exclusively. Rather, these policies also need to address business need and value. Good retention policies serve not only as legal statements, but also seek to achieve a reasonable consensus with business units and other stakeholders regarding what information needs to be maintained to run the business and what can and should be deleted (and when). Any deletion exercise depends on having this agreement. Failing to build this consensus at the beginning will force companies to revisit it every time they try and delete information.

More information or privacy and records management is available at Contoural.