For a long time, companies have focused more on the risk of losing data than on retaining too much data. In fact, “The Badge of Honor” seemed to land with the individual who could retrieve any document no matter how old whenever asked.
Alert!
In 2019, the Berlin Commissioner for Data Protection and Freedom of Information fined a German real estate company Deutsche Wohnen approximately €14.5 million (~$17,255,000) for GDPR violations. While performing on-site visits, the supervisory authority learned the company was storing personal and financial data of tenants in an archive system after it was no longer necessary for the purpose for which it was originally collected. The archive system did not provide a way to remove data no longer needed. The supervisory authority claimed violations of data minimization and privacy by design principals under the GDPR. This is a clear message that organizations can’t ignore their obligations relating to data retention.
Closer to home, the Federal Trade Commission (FTC) recommends companies promptly dispose of information once it is no longer necessary for legal or business reasons. In addition, privacy deletion requests and threats of cyber incidents should incentivize businesses to implement proper information governance programs that include strong data retention policies.
Because of data protection laws and cyber concerns, keeping content “just in case” can’t be the default. Businesses need to implement solutions for keeping what’s needed for legal and business reasons and disposing data when it no longer has business value. The Berlin authority didn’t complain about a specific retention period. They found fault in having no plan around retention and a system not designed for data deletion.
Key Approaches to Retention Decisions
With modern retention practices in focus, the “Badge of Honor” now goes to the individual who regularly keeps content for only 3 reasons:
Sign up to receive emails on industry events, news, and more!