Data Retention – Policy, Law and examples

Since the introduction of acts governed by GDPR and CCPA, there are now stricter rules on how many businesses and organizations are permitted to store our sensitive information.
The data retention law of both GDPR and CCPA outlines not only best practices but also how to stay in line with legislation, avoiding strict penalties and substantial fines.

These new penalties have hit some of the biggest brand names harder than they could have imagined, and for issues they didn’t realize they were even accountable. The time has come for businesses to examine how they’re storing data and if they’re complying with the new rules.

The best tool they can use to stay in line and on top of the procedure is an up-to-date, all-inclusive, data retention policy.

What is a data retention policy?

It’s a set of guidelines that dictates how each business handles its data, how long they can hold records, and why. It also sets out what’s to be done with that data once it reaches the limit of its allowable retention period.

A company has to explain why they’re holding onto each gathered data, and it’s those reasons that dictate the retention period. For both GDPR and CCPA, there are few specified time limits to data retention, but each organization must have them, and be able to justify how they came up with each timeframe.

Why do we need data retention policies?

After the introduction of GDPR, we became inundated with requests from businesses we’d long-since forgotten, as well as those who we still utilized regularly. That’s because all of those businesses still held our information in their systems, and to keep doing it, they needed permission.

What’s the problem with older and out of use information sitting on servers? Well, despite everyone’s best intentions, data breaches and server hacks happen all the time, and it’s that data that becomes vulnerable or provides the hacker access in the first place.

To limit the opportunities for hacking and data breaching, regulators mandated that the organizations storing personal data could only hang onto it if they had a legitimate reason.

GDPR data retention policy

You can read more about the GDPR legislation that covers data retention to see how it would impact your systems and data retention. The key area is Article 5, Principles relating to processing of personal data.

With GDPR, there are no set periods. So how do you decide on an acceptable duration to hold onto your users’ details?

You need to consider two main areas:

  • The purpose of holding onto the data
  • Any legal or regulatory requirements for retaining it

You can’t hold onto information just for the sake of it, but where you have a valid reason to, you could keep it indefinitely.

Legal or regulatory reasons include such things as for tax purposes, audits, or where it manages compliance with industry standards. Other reasons can include processing data for archiving reasons, where the information is relative to public interest, scientific, or historical research value.

Once you exceed an acceptable timeframe, that data needs to be removed or amended, so there is no possible way of tracing it back to the user.

CCPA data retention policy

The CCPA delivers its guidelines under Section 1798.105, the right to deletion. Each consumer can request a copy of the data stored, and where requested, have it deleted.

To be bound by CCPA legislation, a business must either:

  • Make over $25 million in revenue per year.
  • Handle personal data for 50k people, devices, or households from California per
    year.
  • Make at least half of their revenue from selling information about California
    residents.

How long a business or organization can retain a user’s data is dictated by the following:

  • Completing the transaction relating to the collected data.
  • Fulfilling a warranty or product recall.
  • Providing goods or services requested by the consumer in future, or reasonable
    anticipation of delivering those goods or services.
  • Maintaining a contract between the parties.
  • Detecting security incidents and protecting users from malicious or other illegal
    activity.
  • Debugging or repairing errors to existing functionality.
  • Exercising free speech or the rights of a consumer’s right to free speech.
  • Complying with the California Electronic Communications Privacy Act.
  • Engaging with scientific, historical, or statistical research in the public interest.
  • For internal use reasonably aligned with the expectations of the consumer.
  • Complying with legal obligations.

These all look relatively straightforward at first glance, but applying an appropriate timeline to many can cast grey areas over a businesses’ view of the situation.

Items to include in a typical data retention policy example

Here’s a quick guide for data retention best practices. We cover, in 3 simplified steps, the things to consider when putting your retention policy in place.

Classify your data

The first thing you need to understand is the type of data your organization utilizes. Classifying data between industries will govern the stipulation you’re accountable to.

Not all data has the same retention ruling. GDPR compliance demands the classification of data types. It also categorizes ‘special’ data, such as race, ethnic origin, political opinion, biometric data, and health data. With that in mind, data controllers need to know how to
label their specifics correctly—including public, proprietary, or confidential classifications.

Legal requirements

Both GDPR and CCPA have taken prime positions in data management and processing debates over the past couple of years, but there are more regulatory organizations than just those.

When it comes to data and retention policy, you must understand which frameworks and regulations apply to your business or industry.

  • GDPR – You can't hold onto data any longer than necessary. Its removal should occur
    once its intended function is complete.
  • CCPA – You must retain data where consumers may request information.
  • PCI DSS – You must destroy data that is no longer needed.
  • HIPAA – There are no retention requirements for medical records, but you must
    keep policies and procedures relating to HIPAA for 6 years from policy creation.
  • FERPA – Student records to be kept for 6 years after the student is no longer active.
  • GBLA – Privacy notices to be retained forever; other documentation to be retained
    based on risk.
  • Bank Secretary Act – Records to be retained for 5 years.
  • Fair Labor Standards Act – You must retain payroll records for 3 years.
  • Equal Employment Opportunity – Private employers must retain personnel records
    for 1 year after the employment ends.

Deleting data that’s no longer required

A misconception within organizations is that holding each data is safer than deleting it, in
case they need it again later. Holding onto data longer than required can:

  • Increase chances of data breach or security issues.
  • Placing client data at greater risk of a breach.
  • Contributing to over-populated data systems.
  • Expanding the data access compliance burden.

To operate effectively and within the law, you must remove data at its expiry date. Understanding when that date is is down to your retention policy.

What should you do with that out-dated data?

With GDPR, you have two options of what to do with your out-of-date accounts. You can delete it or anonymize it.

Deleting data

If you choose to delete it, you must guarantee to remove all copies. That’s both digital and hard copies, and from every location, server, or drive where it appears. Tracking down hard copies to shred or similar is easier to guarantee, but digital copies can find a way of cropping up in other, long-forgotten locations, or manual and automated back-ups.

If you’re found with such copies after the expiry date—anywhere on your systems—you’ll be in breach of legislation terms and vulnerable to their fines and punishments.

Anonymizing or pseudonymizing data

These are methods used to retain areas of useful information without being linked to the user that submitted it. It jumbles, masks, encrypts, or removes the connection to the individual so that the data can’t be traced back to the consumer.

Anonymizing data destroys any way of identifying the individual and is irreversible.

Pseudonymizing data substitutes the identity of the individual so that with the correct key or encryption, you can reverse the process and establish the original data suppliers.

When pseudonymizing data records, it shouldn't be possible for a third party to connect them to an identifiable subject. If you can detach the individual from the data, then GDPR allows you to hold onto that data indefinitely.

However, if associated data is held elsewhere within the business that could identify the subject, then the data hasn’t been sufficiently anonymized, and you could still be liable for their fines and penalties.

Managing your data retention policy with PrivacyRun

When it comes to data retention, PrivacyRun is a data controller’s best friend. The system manages the stipulation of both GDPR, CCPA, and other regulators’ legislation, keeping you informed and updated of the status of your data accounts and your position within the eyes
of each legal body.

With automated processes monitoring your data retention periods, it continuously verifies the validity dates of your accounts, and where they exceed your parameters, the software automatically takes the dedicated course of action.

For customer accounts that have expired, it checks for the governing conditions. Where they meet them, they are automatically deleted, anonymized or pseudonymized.

PrivacyRun works on the client side of individual IT systems. So, as well as automating data removal for expired accounts, it’s simple to set up built-in rules that also remove an individual’s data on their request. There are rules to govern a range of tasks that include the removal or editing of an individual’s data.

By empowering your business, it aids you to navigate easily avoided penalties and fines, and by reducing business risk, it organically improves the work of your compliance teams.

Not only is it incredibly effective, but it’s quick to deploy and easy to use. With each built-in process managing previously manual tasks, your company will deliver immediate customer satisfaction and at the same time freeing up your workers to get on with more important tasks.

About us

What is PrivacyRun?

Here at PrivacyRun we built our solution with you in mind. Our data privacy platform supports your company’s compliance with local data privacy laws like GDPR and CCPA. We enable you to monitor where and how data is handled, track employee training and keep you up to date on privacy requests – helping you navigate the complex world of privacy compliance from one place.

Let’s talk about your project

    Makeitright is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. If you consent to us contacting you and storing your personal data for this purpose, please tick the checkbox below:

    For more information about our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.