New Data Privacy Considerations Heighten the Need for Attention to Records Management and Information Governance Practices
Information governance and records management are important considerations for all organizations. New data and documents are generated at ever-increasing rates through the normal (and “new normal”) course of business, and these data and documents must be maintained for different periods of time to satisfy their business and legal compliance purposes. With regard to legally-mandated retention requirements, certain business sectors (such as banking institutions, aviation and maritime companies, and businesses operating within the scope of federal Department of Energy regulations) are subject to record retention and reporting obligations that extend beyond those applicable to other types of organizations. Also, there may be insurance, contractual, and other considerations applicable to certain types of records that impact the period of time they should be maintained in the ordinary course of business. Finally, the need to preserve records potentially relevant to known or reasonably anticipated legal proceedings can create additional record preservation burdens on an organization.
While maintaining data and documents pursuant to these business and legal requirements, organizations are benefit by disposing of data and documents that are not (or that are no longer) necessary for those purposes. Maintaining unnecessary, redundant, obsolete, trivial, and transitory data and documents can increase an organization’s costs for storage and IT infrastructure, escalate the burdens on individuals using the organization’s data and documents as they must sift through extraneous information, magnify risks and costs related to insurance against data breaches and responses to such breaches, and result in heightened costs and burdens if the client becomes involved in legal proceedings with discovery obligations.
Working with a trusted legal team to prepare and implement a sound record management policy and a legally-defensible record retention schedule is often an important step for organizations seeking to balance their need to maintain records for business and legal purposes against their goal of maximizing resources and minimizing costs and burdens by limiting retention of unnecessary documents and data. Such policies and schedules, coupled with responsible and reasonable strategies and systems for preserving records in response to particular legal proceedings, responding to requests for documents and data issued in such proceedings, and reacting to other pressing issues related to records (such as data breaches and data subject access requests (“DSARs”) under applicable data privacy laws, serve as cornerstones for comprehensive records management and information governance practices.
New data privacy laws in jurisdictions around the world, including a number of new state laws surrounding consumer data in the United States, have added urgency for organizations working to develop and improve their records management and information governance practices. The California Privacy Rights Act (“CPRA”), with relevant provisions effective on January 1, 2023, requires companies subject to the law to disclose, at or before the time of its collection, “[t]he length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.” Cal. Civ. Code § 1798.100 (2022). These provisions of the CPRA also state that “[a] business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected.” (emphasis added), supporting the fact that organizations subject to this law will need a definitive plan for retention and deletion of data sooner rather than later. Administrative fines can be assessed to companies for each violation of the CPRA, with higher fines possible for intentional violations and violations involving personal information of individuals under sixteen years of age. Cal. Civ. Code § 1798.155 (2022).
A reasonable and comprehensive records management program can also lessen the burden of responding to DSARs from data subject seeking to access, review, correct, and deletion their personal data under laws such as the European Union’s General Data Protection Regulation (“GDPR”). DSAR responses can be time-consuming and costly for organizations, which generally must respond to DSARs within a short timeline. Efforts to limit record retention to data and documents needed for business and legal purposes (and to dispose of unnecessary information on a routine basis) can make the efforts needed for DSAR responses more feasible.