Creating a data-retention policy for privacy requirements

11 minute read

Nearly all organizations create and retain personal information about individuals. Privacy rules limit how long this information can be retained. In most cases, they stipulate that personal information can be retained “no longer than necessary” for a legitimate business need. Additionally, under most privacy compliance regimes, individuals have the right to request their information be deleted or erased. These new requirements are driving organizations to examine what personal information they store, where they store it, and to impose rules limiting how long they keep it.

Personal information disposition, however, cannot operate in a silo, as other compliance requirements rules come into play. Records-retention legal and regulatory requirements mandate that records be retained for minimum periods, even if these records contain personal information. Relevant information under legal hold must be retained. Furthermore, businesses have a legitimate need to save both personal and other types of information.

These requirements and needs should be synchronized and codified in a data-retention policy. For most organizations, the data-retention policy should enhance their records-retention schedule. A well-crafted policy not only drives compliance but also makes policy execution much easier.

This document is only available to members. Please log in or become a member.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field