Data Protection Report - Norton Rose Fulbright

This blogpost summarises our recent webinar: “An urgent message from Berlin: The importance of record retention in privacy and cybersecurity”.

Why should this be a high priority project?

Increased regulation and enforcement action

In 2019, we saw regulators put a renewed focus on how long businesses retain personal information.

The most significant action came in October, when the Berlin Commissioner for Data Protection and Freedom of Information issued a €14.5million fine against German real estate company, Deutsche Wohnen SE, relating to the excessive retention of personal data. This sends a clear message that organisations can no longer ignore their obligations relating to data retention. The authority claimed a violation of data minimisation and privacy by design principles under the EU General Data Protection Regulation (GDPR).  

Over in Denmark, the Danish data protection authority also imposed fines against two companies.  The first was against taxi company Taxa 4×35 which was fined €160,000 for failure to justify why certain of their customers’ personal data was retained.  The second was against a furniture company, IDdesign A/S, which was fined approximately €200,000 for unlawfully retaining data in legacy systems and not having an appropriate data retention policy in place.

However, this is not a new concern or one limited to the EU or the GDPR.  In the U.S., the Federal Trade Commission has long recommended that companies properly and promptly dispose of personal information once it is no longer necessary to retain it for legal or business reasons.  Likewise, the New York State Department for Financial Services regulations requires relevant entities to have appropriate record retention policies and procedures.

Over on the west coast, the California Consumer Privacy Act will also incentivise businesses to implement proper information governance programmes to minimise the costs of data access requests, provide exemptions to deletion requests, and reduce exposure to cyber incidents and  potential private rights of action.  This underpins that data that has been disposed of properly cannot be accidentally misused or improperly accessed.

How should businesses change their attitudes towards data retention?

For a long time companies have been more focused on the risk of losing data than on retaining too much data.  Understandably, they saw the significant penalties for failing to either (1) retain the documents they were obligated to retain by statute; or (2) take reasonable steps to preserve information reasonably relevant to potential litigation or investigation.  Companies may have understood that there were costs to over-retention, such as increased discovery costs, but these seemed to pale in comparison to the sanctions for failing to retain what you had to keep.

This led companies to err of the side of over-retention.  In the information age, where the amount of data created, transmitted and collected is increasing at an exponential rate, this caused businesses to become hoarders of data and documents.  This was exacerbated by busy employees who feared not having information they might need in the future and hence retaining material “just in case” they would need it later.

This cannot be the default any more as data protection laws’ requirements and cyber concerns counterbalance these other risks.  Businesses need to find a solution where they keep what they need for legal and business reasons and dispose of data that has little or no value  in a more critical, risk based way. Retention can also be justified under data protection laws, where there is a business need. Companies, however, need to define the applicable periods and have measures in place to delete data after the period ends. The Berlin authority did not complain about a specific retention period, but about a lack of thought as to the need to have one.

But the changing legal climate can only be reflected if there is guidance and support from the top. Therefore, senior management need to be briefed on the risks of over-retaining and convinced of the benefits of deleting data.

A policy or standard needs to be set, which is then explained by training and is measured.  There needs to be recognition that everyone has a day job and people cannot be expected to spend time sorting out and managing data and records alongside their other duties.  This is why the policy and its schedules must be simple and practical – but at the same time granular enough to reflect different purposes for which the data was originally collected.

What are the key things to remember when approaching a data and records retention project?

  1. Don’t let the perfect be the enemy of the good. This is an incremental process which will help reduce risk over time.
  2. Bring in stakeholders from across the business who have a vested interest in tackling this issue, including: (1) privacy professionals who are looking to reduce the amount of personal data held; (2) record retention specialists who want to ensure good life cycle management of records and information;  (3) information security experts who want to reduce the impact of cyberattacks; (4) the IT department wishing to reduce the strain on the IT systems and the cost of supporting legacy platforms; and (5)  the legal team which – especially in the U.S. – wish to reduce the cost of responding to discovery in litigation and investigations.
  3.  Don’t limit the project to official records and records with prescribed statutory retention periods – organisations hold a lot of information in a lot of different systems – all of which need to be addressed, including email and other e-communications.

How do you build an effective information governance program?

A good information governance program requires at least three things: (1) a policy; (2) a time line or schedule; and (3) ongoing training and accountability.

Data is not just a risk.  It is a crucial asset of the business.  A business should have a policy about how it wants its employees to treat this asset.  It should address how employees may create, store, transmit, protect and dispose of data.  While large, highly-regulated companies can have multiple policies that address every nuance of data governance, not all companies need such a complex framework. However, without guidance, each employee will manage their data in their own idiosyncratic way – leading to unmanageable “data graveyards” as criticised by the Berlin authority.

Not all data in the business should be treated the same way and kept for the same period of time.  The record retention schedule should categorise the information and provide guidance to  employees on how long they should keep certain data.  We discuss this in more detail below.

If a company simply creates and issues a policy and a schedule and does not train its employees or hold them accountable, then it will not change their behaviour or improve data governance.  Information governance must be an ongoing programme which is valued by senior management.  Those in charge of these projects must be given the budget and authority to train employees and hold them accountable for their data governance practices.

How do you keep a retention policy simple and practical?

Without oversimplifying matters, keep the retention schedules (i.e. the part that sets out how long records need to be retained) as simple as possible .  Employees can only keep track of a handful of rules and requirements.  Break up the schedule by department and work to place as many official records into discrete locations (Systems of Record) as possible.

There are hundreds, if not thousands, of laws that impose statutory record retention periods. It is often impossible to manage data retention on such a granular level.  The good news is that many of these requirements can be grouped together with similar documents having relatively similar retention periods. Also defining the purpose for processing of personal data allows some flexibility to group data together as required.   Using “big buckets” to group types of records at a high level, though not perfect, is much easier to manage and can help reduce risk immensely.

Once these “big buckets” have been established, the next step is to layer on a personal data matrix.  By this we mean, considering whether there may be personal data in any of the buckets that might need special treatment, i.e. be given its own “sub-bucket”.  For example, if certain records may contain medical information, it may be appropriate for that data to be deleted sooner than the other data and information in the bucket.

Should multinationals have one global retention policy and schedule or should each country have their own?  

We have seen a variety of approaches.  There’s no “right” way, it just depends on which approach best suits your organisation from a practical perspective, i.e. which way is going to carry the most impact but also be easiest to maintain with the resource realistically available.

This could mean a global policy with one schedule of retention periods that applies to all subsidiaries across the globe.  Or it could mean separate country or regional schedules.

How should we tackle email?

Most documents, especially emails, lose their business value very quickly and there is often little to be lost in introducing automatic deletion periods after a fixed period.  This could be after one or two years. Email should not be a system of record and therefore it is important to set shorter and more ambitious time periods. However, employees have an emotional attachment to their email and many companies receive significant resistance to deleting or restricting email.  Some consider email to be the “third-rail” of information governance.

Any effort to limit email needs to be easy for the employees to implement.  They need to have a way to keep emails that have value for them and not have to spend much time or effort deleting useless emails. That being said, an increasing number of businesses are applying short retention periods to email (as short as 30-90 days) and they are reaping the benefits. In some jurisdictions, business emails need to be retained much longer – but that does not apply to all emails in the company. Again, a solution may be to ask employees to sort certain emails into discrete locations. Alternatively, documents could be only stored in a central file system and linked in an email rather than be attached.

How should we tackle data embedded in systems?

Following GDPR, many large vendors now provide systems with inbuilt, automatically triggered retention periods.  Applying this type of functionality, at least going forwards, can dramatically reduce the amount of over-retention, especially, if the data being stored in the system is uniform.

Historic data already within systems may require more thought.  It may be appropriate to phase in retention periods over a period of time so that people have time to retrieve data that they may need.

How should we tackle legacy systems / tapes?

Legacy systems and tapes can pose significant legal and business risks.  Often, there is little knowledge about what exactly is stored on legacy systems and tapes.  And, even if knowledge exists, there are usually practical difficulties in retrieving the relevant information.  They often contain considerable amounts of personal data that really should have been deleted a long time ago. So, unless the systems / tapes have actual business value or are  subject to legal hold, businesses should consider getting rid of them wholesale.

What should I do next?

  1. Make your case to senior management
  2. Get key stakeholders on board
  3. Identify the low-hanging fruit first (e.g. apply automatic retention periods to systems with inbuilt deletion functionality)
  4. Make risk based decisions. Identify which data has the most risk or sensitivity – manage it actively.  Identify which data has the least risk – manage it less.
  5. Make bold, blanket decisions where possible  (e.g. apply automatic deletion to emails).