In the not-so-distant past, data risk was primarily seen as a technology challenge. How can organizations store all the data they accumulate? How can they sort and analyze it? How can they protect it from exfiltration by threat actors—primarily outside the organization at that?
In the past five years, much has changed. Rather than data security, regulatory compliance is now the primary risk vector for organizations’ data custodians. In response to the enactment of GDPR and dozens of subsequent state, national, and transnational privacy regulations, organizations must implement compliance strategies, and more importantly, the technology and processes to fulfill their obligations.
Effective, operational data retention is the foundation for regulatory compliance. Most organizations have a reasonable complement of data retention policies, but in practice, the policies are not put into effect. Data protection laws mandate that organizations delete data they no longer need; this is also a well-established best practice for security. Privacy laws insist that personal information not be kept beyond its legitimate use or legal requirement, and newer ones require that these retention periods be disclosed at collection time. Understanding retention requirements is a fundamental first step in operationalizing a data retention program. Here are four baseline requirements your organization must meet, exemplified by four specific privacy regulations, as explained in the whitepaper Navigating Regulatory Requirements with Effective Data Retention.
Data Retention Challenge #1: Data Subject Access Requests (DSARs)
CPRA, the California Privacy Rights Act, was passed by referendum in California in November 2020 to strengthen provisions of the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. From the standpoint of data risk, the most significant changes are in the obligations around the collection and retention of personal data and the requirement that organizations produce within 45 days the personal data it holds upon a request from its subject. This data can include the personal information, as well as how it is used and processed. The fact that these access rights are easily visible outside the organization means that its impact on your brand reputation can be even more substantial than the penalties included in the law itself.
To respond to a DSAR effectively, an organization must have several different technology and process components in place: a portal to intake requests from consumers; an accurate data map or inventory that includes information on what data is stored where; technology to collect, redact, and produce the data; and data retention policies and processes to delete personal data when it is no longer needed for the purpose for which it was originally collected.
Data Retention Challenge #2: Data Protection Requirements
The New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), passed in 2019, identifies private information and sets out responsibilities for organizations to protect that information. This act updates the existing privacy and data breach notification laws and requires organizations to have specific measures in place to mitigate risk when breaches occur and to take other measures to ensure that personal information is protected. This act differs from other regulations in that any unauthorized access to this information is considered a breach, not just the loss or exfiltration of the data.
The most effective means to prevent the loss of or unauthorized access to personal data is not to have it in the first place. Effective data retention programs start by understanding both the types of data acquired and retained and the time window for its use. Then, organizations can plan for the timely deletion of data when it is no longer needed, which is the very essence of a data retention program.
Data Retention Challenge #3: Biometric Data Regulations
The Illinois Biometric Information Privacy Act (BIPA) governs the use and retention of biometric data since its passage in 2008. It remains one of the toughest laws governing biometric data in the US, covering data types like fingerprints, voice prints, and vein patterns in handprints. The law creates privacy obligations for businesses that collect biometric data and confers limited rights of access to the data subjects. It also mandates protection and retention obligations. Organizations that hold biometric data on customers or other parties must take special measures to protect it.
In recent years, a consistent drumbeat of complaints and class action suits have been filed under its provisions. In 2019 in Rosenbach v. Six Flags, the court determined that no specific harm needed to be proved for the plaintiff to have standing. In 2020, in Fox vs Dakkota Integrated Systems, a firm was found to have caused privacy harm by simply holding on to biometric information for too long, even though it was properly secured, and no breach had occurred. 2021 saw BIPA cases settle for six-, seven-, eight-, and even nine-figure sums, including $615 million in a federal court. Organizations that use biometric data in Illinois face significant risks without a comprehensive data retention program.
Data Retention Challenge #4: Data Ownership
GDPR was the legislation that started the current wave of activity around data privacy. Laws such as CCPA and CPRA were modeled after its provisions. However, it is philosophically different in nature. In the EU, the underlying premise governing the regulation of personal data is that the subject owns the data.
GDPR places its emphasis on the rights of individuals to control the use of their data, and to correct, delete or know what data is held about them. GDPR covers the personal data of anyone in the EU, or any personal data held by a company in the EU or governed by EU law, including employees or former employees of that company. Organizations that hope to comply with the increasing volume of privacy regulations must understand that they truly are custodians of the data—responsible for taking care of it—not its owners, free to do with it what they please.
