Well, turns out I was both right and wrong in my prediction from two years ago: “For the 2020s, the dots already connect clearly – the new impetus for managing information retention and disposal will be data privacy and security compliance. Buckle up.” That prediction is indeed playing out, but far faster than I expected.
Again, we’ve always known that managing data volumes is prudent for U.S. businesses. But as a matter of pure legal compliance, U.S. federal and state laws have traditionally followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a required minimum retention period, but not compelling disposal. With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data. And U.S. privacy and data security laws have generally been silent on retention periods for protected information.
But that was then. As noted two years ago, a wide range of new data security and privacy laws are transforming retention schedules and data disposal from merely prudent practices into compliance requirements. And since then, as explored in this blog series, the pace has quickened, with:
- New state-level data security enforcement activity that compels data retention schedules and data disposal;
- New GLBA data security rules requiring retention schedules and disposal of unnecessary data;
- An upsurge in FTC data security enforcement actions that put data retention and disposal at center stage;
- A new biometric privacy court ruling under BIPA on data retention schedule requirements; and
- A growing wave of new comprehensive state consumer privacy laws mandating data minimization, data retention schedules, and disposal of unnecessary data.
Managing data with retention scheduling and disposing of unnecessary data are now compliance requirements for data privacy and security.
What should you do about this?
- Clarify what constitutes protected information, based on your business’s geographic footprint and scope of operations.
- Understand where protected information resides, both in your business’s data systems and through your relationships with service providers and contractors.
- Update and legally validate your business’s data retention schedule, with particular attention to legally required retention periods, including retention maximums, for records and data sets containing protected information.
- With that foundation in place, ensure that your business’s policies, contracts, privacy notices, training, and compliance systems foster compliant practices for the safeguarding, timely disposal, and other processing of protected information.
But aren’t these the same things that have always been good to do? Yes indeed. Managing records and information (more broadly, Information Governance) has been perennially prudent, particularly as our digital age has multiplied the volume and velocity of business data.
Redundant, obsolete, or trivial/transitory data (ROT) is still stubbornly pervasive. It’s not merely unhelpful – ROT escalates cost, risk, and exposure. Here’s my current favorite image for making elimination of ROT a business priority, from talented Canadian RIM professional Christine (CD) Delay:
Yet something else remains true. In the real world, what to do has never been as impactful as why to do it. In the 2000s, a powerful impetus for managing information retention and disposal was the rise of ediscovery, triggering concerns about (1) explosive litigation costs due to unnecessarily retained data and (2) the specter of spoliation sanctions if information is managed poorly. In the 2010s, an additional, new impetus was the fear of data breaches, with their resulting reputational damage, business interruption, regulatory implications, and legal exposures, all multiplied by retaining unnecessary data. And now, for the 2020s, the newest impetus for managing information retention and disposal is crystal clear – data privacy and security compliance.