The Impact of Data Protection Laws on Your Records Retention Schedule
It is essential that your organization’s records retention schedule is compliant with the data protection requirements in the jurisdictions where your organization operates. This task may seem overwhelming since jurisdictions around the world are enacting new laws, regulations, and requirements; and organizations are continuing to expand their jurisdictional footprint. The purpose of this article is to remove the fear and intimidation of domestic and global data protection laws and show how these laws and requirements are consistent with the existing objectives of your records retention schedule and information governance policy.
Definition and Purpose of a Records Retention Schedule
The records retention schedule is the foundational document for a records management program. The records retention schedule is a policy that identifies the types of records created and/or retained by an organization. These records are typically organized by grouping them by function or department and then described as either an individual record or grouped together into a record category. The records retention schedule then defines the retention period for those records. Once the record is retained for the defined retention period, the record is then disposed of.
In addition to complying with legal requirements associated with records retention, a records retention schedule addresses the organization’s need to retain information of value and dispose of records that have little to no value. By doing this, an organization retains necessary business information while saving money and resources by disposing of unnecessary information that would otherwise drive up the cost of storage, data migration, and litigation.
Data protection laws, regulations, and rules control the collection, use, transfer, and storage of personal and sensitive information. Personal data protection requirements may be issued by federal, state (provincial), or local governments. In some cases, the laws or requirements are targeted for specific industries by regulatory agencies or non-governmental business associations.
Countries and organizations within the European Union (EU), must comply with the requirements of the General Data Protection Regulation (GDPR)1General Data Protection Regulation. 2016. 2016/679 (EU, April 27).. Many countries outside of the EU have created and implemented their own data protection laws that are similar to the GDPR2DLA Piper. Data Protection Laws of the World. Accessed March 13, 2022. https://www.dlapiperdataprotection.com/.. For instance, Canada has a data protection law3Personal Information Protection and Electronic Documents Act (PIPEDA). 2000. S.C. 2000, c. 5 (Senate and House of Commons of Canada, April 13). and is currently considering a new data protection law that places even more restrictions on the retention and use of personal data than the GDPR4Consumer Protection Privacy Act. 2020. Bill C-11, Sec. 53n (Canada House of Commons, December 2)..
The United States does not have a Federal data protection law that protects all consumers. Certain sectors, such as banking, financial services, health, and insurance have their own data protection and privacy requirements. More recently, state governments began implementing data protection laws consistent with or similar to global requirements. These states include California,5California Privacy Rights Act (CPRA). 2023. Cal. Civ. Code § 1798.105 (State of California, Effective January 1, 2023). Colorado6Colorado Privacy Act. 2023. Colo. Rev. Stat. § 6-1-1308 (State of Colorado, Effective July 2023)., and Virginia7Virginia Consumer Data Protection Act. 2023. § 59.1-577 (State of Virginia, Effective January 1, 2023)., with other states considering similar data protection laws.
Understanding the Changes
All these laws, regulations, and rules may seem overwhelming at first. There are many data protection laws, and they appear to be changing at a rapid pace. However, the laws and requirements are moving closer together in approaches and requirements and working to achieve the ultimate object of a records retention schedule; to retain records of value and dispose of information with little or no value.
With regards to the records retention schedule, organizations can look at four specific areas. These areas are relatively consistent across jurisdictions and between the various laws. These four areas are the following:
- Definition of Personal Data: Personal information is generally defined as “any information relating to an identified or identifiable natural person.”8General Data Protection Regulation. 2016. 2016/679, Art. 4 (EU, April 27). This is the GDPR definition and other countries have similar broad definitions of personal data.
- Limited Retention of Personal Data: One goal of data protection laws is to limit the retention time of personal data. While a few countries provide specific guidance on retention periods, most laws state the retention should be limited “for no longer than is necessary.”9Id., Art. 5(e).
- Data Subject Requests: Individuals have the right to know what personal information an organization retains and they have the right to request deletion of that data unless there is a legitimate purpose for retaining that information. A data subject request is an action by an individual to exercise that right, and the organization has an obligation to respond to that request10California Privacy Rights Act (CPRA). 2023. Cal. Civ. Code § 1798.105 (State of California, Effective January 1, 2023).11Brazilian General Data Protection Law (LGPD). 2018. Law No. 13.709, Article 19 (Brazil, August 14)..
- Enforcement of the Laws: The enforcement has been primarily focused on consumer or non-financial employee data (e.g., resumes, personnel files, video/call recordings). Typical examples of where organizations have been fined or sued involved policies that do not exist, are outdated or not applied; unsolicited marketing using personal data; inappropriate use of surveillance cameras; failure to respond to data subject requests; or inadequate responses to data breaches involving personal data.12GDPR Enforcement Tracker. Accessed March 3, 2022. https://www.enforcementtracker.com.
Making the Records Retention Schedule Compliant with Data Protection Laws
Understanding now that the laws and requirements are coming together throughout the many jurisdictions, your organization can take the following actions to ensure your records retention schedule is compliant with data protection laws.
- Update Your Retention Schedule: Your records retention schedule should reflect your organization. This means it should contain the records created and retained by your organization and the jurisdictions where you operate. Furthermore, the records retention schedule should apply to all records, regardless of media (paper and electronic records).
- Retention Times and Disposition Times: The time identified as a retention period should also be considered a disposition time. A retention time is not a minimum time, but the time in which the record is retained and then disposed of.
- Identify Categories with Personal Information: Knowing which categories contain personal information will assist organizations in identifying the risks and the purpose for which the personal information is retained. Organizations should place a special focus on consumer and non-financial employee data.
- Limit Retention Time of Personal Data: Organizations should understand and delineate the purpose for which the personal information is collected and retained. This purpose may include a retention law/regulation, legitimate business purpose, or based on consent of the individual. Once that is understood, organizations should limit the retention of those records to that purpose.
- Identify and Correct Unreasonable Retention Periods for Personal Data: Unreasonable retention periods may include excessively long retention periods that are not based on a law or the product/service provided to the consumer. This may also include the use of event codes that are subjective or difficult to define in practice or retention periods that are correct in theory but impossible to implement. Organizations should be able to articulate the reason for a retention period, especially if those records include personal information or data.
- Add Personal Data Protection Records to Records Retention Schedule: Users of the records retention schedule should be able to identify retention and disposition rules applicable to breach notifications, consumer consents, data subject requests and responses, privacy policies and procedures, and video/audio recordings.
While data protection laws are expanding, and the fines are real, the reality is that data protection laws are merely reinforcing the fundamentals of the records retention schedule. Records retention schedules identify the records created by an organization and establish rules for retaining and disposing of that information.
No organization should retain information that has no or little value. Excessive retention leads to higher storage and legal costs and the inability to find useful information. Data protection laws provide that additional incentive to dispose of information to achieve and support the fundamental objectives of good records and information management.
By understanding what is generally defined as personal data, the legal limitations associated with the retention of personal data, the need to respond to data subject requests, and the areas of high risk for fines or litigation, organizations can take effective action on the records retention schedule in full compliance with data protection laws.
This may result in an updated records retention schedule to ensure it reflects the actual organizational records, applies to all media types, acts as a policy to retain and dispose of information, identifies records with personal data, limits the retention periods for those records, and incorporates records types applicable to data protection laws. In conclusion, the impact of data protection laws is not a more complicated records retention schedule, but rather support and reinforcement for the records retention schedule and its core purpose.
1General Data Protection Regulation. 2016. 2016/679 (EU, April 27). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679.
2DLA Piper. Data Protection Laws of the World. Accessed March 13, 2022. https://www.dlapiperdataprotection.com/.
3Personal Information Protection and Electronic Documents Act (PIPEDA). 2000. S.C. 2000, c. 5 (Senate and House of Commons of Canada, April 13).
4Consumer Protection Privacy Act. 2020. Bill C-11, Sec. 53n (Canada House of Commons, December 2).
5California Privacy Rights Act (CPRA). 2023. Cal. Civ. Code § 1798.105 (State of California, Effective January 1, 2023).
6Colorado Privacy Act. 2023. Colo. Rev. Stat. § 6-1-1308 (State of Colorado, Effective July 2023).
7Virginia Consumer Data Protection Act. 2023. § 59.1-577 (State of Virginia, Effective January 1, 2023).
8General Data Protection Regulation. 2016. 2016/679, Art. 4 (EU, April 27).
9Id., Art. 5(e).
10California Privacy Rights Act (CPRA). 2023. Cal. Civ. Code § 1798.105 (State of California, Effective January 1, 2023).
11Brazilian General Data Protection Law (LGPD). 2018. Law No. 13.709, Article 19 (Brazil, August 14).
12GDPR Enforcement Tracker. Accessed March 3, 2022. https://www.enforcementtracker.com.
About the Author
- Tom Corey is a Director with HBR Consulting’s Information Governance Team. Much of Tom’s work involves assisting organizations in developing information governance policies and records retention schedules that are compliant with domestic and international laws, regulations, and data privacy requirements. Tom is an attorney, licensed in North Carolina, and a Certified Records Manager (CRM) and Certified Information Privacy Professional (CIPP / US). In 2021, Tom received the Britt Literary Award for an article published in IM Magazine. Tom has served as an ARMA Chapter President for the Charlotte – Piedmont Group and is a frequent speaker at international and local ARMA events.