With the excitement generated by the recent news that the European Court of Justice has, in effect, struck down the EU's Data Retention Directive (see our earlier post here), now seems as a good a time as any to re-visit the topic of data retention generally.
Whereas the Data Retention Directive required ISPs and telcos to hold onto communications metadata, the Data Protection Directive is sector-blind and pulls in exactly the opposite direction: put another way, it requires all businesses not to hold onto personal data for longer than is "necessary".
That's the kind of thing that's easy for a lawyer to say, but difficult to implement in practice. How do you know if it's "necessary" to continue holding data? How long does "necessary" last? How do you explain to internal business stakeholders that what they consider "necessary" (i.e. commercially desirable) is not the same thing as what the law considers "necessary"?
Getting the business on-side
For any CPO, compliance officer or in-house lawyer looking to create their company's data retention policy, you'll need to get the business on-side. Suggesting to the business that it deletes valuable company data after set periods of time may not initially be well-received but, for your policy to be a success, you'll ultimately need the business's support.
To get this buy-in, you need to communicate the advantages of a data retention policy and, fortunately, these are numerous. Consider, for example:
- Reduced IT expenditure: By deleting data at defined intervals, you reduce the overall amount of data you'll be storing. That in turn means you need fewer systems to host that data, less archiving, back-ups and offsite storage, making significant cost savings and keeping your CFO happy.
- Improved security: It seems obvious, but it's amazing how often this is overlooked. The less you hold, the less - frankly - you have to lose. Nobody wants to be making a data breach notification to a regulator AND explaining why they were continuing to hold on to 20 year old records in the first place.
- Minimised data disclosures: Most businesses are familiar with the rights individuals have to request access to their personal information, as well as the attendant business disruption these requests can cause. As with the above point, the less data you hold, the less you'll need to disclose in response to one of these requests (meaning the less effort - and resource - you need to put into finding that data). This holds true for litigation disclosure requests too.
- Legal compliance: Last, but by no means least, you need a data retention policy for legal compliance - after all, it's the law not to hold data for longer than "necessary". Imagine a DPA contacting you and asking for details of your data retention policy. It would be a bad place to be in if you didn't have something ready to hand over.
Key considerations
Once you have persuaded the business that creating a data retention policy is a good idea, the next task is then to go off and design one! This will involve input from various internal stakeholders (particularly IT staff) so it's important you approach them with a clear vision for how to address some of the critical retention issues.
Among the important points to consider are:
- Scope of the policy: What data is in-scope? Are you creating a data retention policy just for, say, HR data or across all data processed by the business? There's a natural tension here between achieving full compliance and keeping the project manageable (i.e. not biting off more than you can chew). It may be easier to "prove" that your policy works on just one dataset first and then roll it out to additional, wider datasets later.
- One-size-fits-all vs. country-by-country approach: Do you create a policy setting one-size-fits-all retention limits across all EU (possibly worldwide) geographies, or set nationally-driven limits with the result that records kept for, say, 6 years in one country must be deleted after just two in another? Again, the balance to be struck here is between one of compliance and risk versus practicality and ease of administration.
- Records retention vs. data retention: Will your policy operate at the "record" level or the "data" level? The difference is this: a record (such as a record of a customer transaction) may comprise multiple data elements (e.g. name, cardholder number, item purchased, date etc.) A crucial decision then is whether your policy should operate at the "record" level (so that the entire customer transaction record is deleted after [x] years) or at the "data" level (so that, e.g., the cardholder number is deleted after [x] years but other data elements are kept for a longer period). This is a point where it is particularly important to discuss with IT stakeholders what is actually achievable.
- Maximum vs minimum retention periods: Apart from setting maximum data retention periods, there may be commercial, legal or operational reasons for the business to want to set minimum retention periods as well - e.g. for litigation defence purposes. At an early stage, you'll need to liaise with colleagues in HR, IT, Accounting and Legal teams to identify whether any such reasons exist and, if so, whether these should be reflected in your policy.
- Other relevant considerations: What other external factors will impact the data retention policy you design? Aside from legal and commercial requirements, is the business subject to, for example, sector-specific rules, agreements with local Works' Councils, or even third party audit requirements (e.g. privacy seal certifications - particularly common in Germany)? These factors all need to be identified and their potential impact on your data retention policy considered at an early stage.
Getting it right at the beginning means that the subsequent stages of your data retention policy design and roll out should become much smoother - you'll get the support you need from the business and you'll have dealt with the difficult questions in a considered, strategic way upfront rather than in a piecemeal (and likely, inconsistent) fashion as the policy evolves.
And with so much to benefit from adopting a retention policy, why would you wait any longer?