In the not-too-distant past, data risk was seen primarily as a technology challenge. How can organizations store all the data they accumulate? How to sort and analyze it? How can they protect it from exfiltration by malicious actors, mainly outside the organization?
Over the past five years, a lot has changed. Rather than data security, regulatory compliance is now the primary risk vector for organizations’ data custodians. In response to the enactment of the GDPR and dozens of subsequent state, national, and transnational privacy regulations, organizations must implement compliance strategies and, more importantly, the technology and processes necessary to meet their obligations.
Effective and operational data retention is the foundation of regulatory compliance. Most organizations have a reasonable complement of data retention policies, but in practice the policies are not enforced. Data protection laws require organizations to delete data they no longer need; it is also a well-established security best practice. Privacy laws require that personal information not be retained beyond its legitimate use or legal requirement, and more recent ones require that such retention periods be disclosed at the time of collection. Understanding retention requirements is a fundamental first step in operationalizing a data retention program. Here are four basic requirements that your organization must meet, illustrated by four specific privacy regulations, as explained in the white paper Navigate regulatory requirements with effective data retention.
Data Retention Challenge #1: Data Subject Access Requests (DSARs)
CPRA, the California Privacy Rights Act, was passed by referendum in California in November 2020 to strengthen the provisions of the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. From a data risk perspective , the most important of the changes relate to obligations relating to the collection and retention of personal data and the requirement that organizations produce within 45 days the personal data they hold at the request of their subject. This data may include personal information, as well as how it is used and processed. The fact that these access rights are easily visible outside the organization means that its impact on your brand reputation can be even greater than the penalties provided by the law itself.
To effectively respond to a DSAR, an organization must have several different technology and process components in place: a portal to receive consumer inquiries; an accurate data map or inventory that includes information about what data is stored where; the technology to collect, redact and produce the data; and data retention policies and processes to delete personal data when it is no longer needed for the purposes for which it was originally collected.
Data Retention Challenge #2: Data Protection Requirements
The New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), passed in 2019, identifies private information and defines the responsibilities of organizations to protect this information. This law updates existing privacy and data breach notification laws and requires organizations to put in place specific measures to mitigate the risk in the event of a breach and to take other steps to ensure information is protected. personal. This law differs from other regulations in that any unauthorized access to this information is considered a violationnot just data loss or exfiltration.
The most effective way to prevent the loss of or unauthorized access to personal data is to not have it in the first place. Effective data retention programs begin by understanding both the types of data acquired and retained and the time window of their use. Then, organizations can plan the quick deletion of data when no longer neededwhich is the essence of a data retention program.
Data Retention Challenge #3: Biometric Data Regulation
The Illinois Biometric Information Privacy Act (BIPA) has governed the use and retention of biometric data since it was passed in 2008. It remains one of the strongest laws governing biometric data in the United States, covering data types such as fingerprints, voiceprints and vein patterns in handprints. The law creates confidentiality obligations for companies that collect biometric data and grants limited access rights to data subjects. It also imposes obligations of protection and conservation. Organizations that hold biometric data about customers or other parties must take special steps to protect it.
In recent years, a steady pace of complaints and class action lawsuits have been filed under its provisions. In 2019, in Rosenbach v. Six Flags, the court determined that no specific harm needed to be proven for the plaintiff to have standing. In 2020, in Fox vs. Dakkota Integrated Systems, a company was found to have breached privacy by simply retaining biometric information for too long, even though it was properly secured and no breach had occurred. . In 2021, BIPA cases settled for six-, seven-, eight- and even nine-figure sums, including $615 million in federal court. Organizations that use biometrics in Illinois face significant risks without a comprehensive data retention program.
Data Retention Challenge #4: Data Ownership
GDPR is the legislation that started the current wave of activity around data privacy. Laws such as the CCPA and the CPRA have been modeled on its provisions. However, it is philosophically different in nature. In the EU, the underlying principle governing the regulation of personal data is that the subject owns the data.
The GDPR focuses on the rights of individuals to control the use of their data, and to correct, delete or find out what data is held about them. The GDPR covers the personal data of anyone in the EU, or any personal data held by a business in the EU or governed by EU law, including employees or former employees of that business. Organizations hoping to comply with the growing volume of privacy regulations need to understand that they are truly the custodians of the data – responsible for caring for it – not its owners, free to do with it what they want.