At the heart of the recent turmoil around privacy, rumors of fines and fines doled out in Europe under the General Data Protection Regulation ( GDPR ), the wave of insinuated warrants under the California Consumer Privacy Act (CCPA), headline-grabbing data breaches, and near-universal confusion about what compliance measures businesses can take, there is one simple fact that often goes unrecognized: no matter how complex or simplicity of a company’s regulatory framework or its electronic systems, the confidentiality of information cannot be ensured without the adoption of a functional retention schedule through M&A advisory.
Beyond the basic features and functions of a records schedule, it is impossible to protect and manage information that is not properly identified, classified, and assigned.
Retention consistent with legal requirements — Privacy commissioners in different EU countries have quickly found that the general mandate not to retain data “longer than necessary” (a fundamental principle of the GDPR) can only be accomplished (and thereby ensure compliance) by rationally establishing a quantitative retention period that “meets” the stated criterion of avoiding retaining data “longer than necessary”.
In a recent case in Denmark (supervision of personal data processing, log no. 2018-41-0015), the Privacy Commissioner audited the company’s IT systems to determine the extent to which consumer data was retained as a first step in validating the reasoning for the retention period needed.
As a second step, the Commissioner asked to see company records regarding the data retention policy to determine if it applied to electronic systems (he performed an in-depth analysis of the electronic systems of the company to confirm that customer data was indeed destroyed).
Fines have been issued when customer data was found in electronic systems after the required retention period had expired because 1) no retention schedule was in place and 2) therefore the data was retained far too long. A fine of 1.5 million Danish crowns was therefore imposed, or approximately 316,000 dollars.
In the US, legislators are also catching up on the need for retention schedules for data protection.
In 2018, Colorado passed a new law requiring all “covered entities” (i.e., “a person . . . who maintains, possesses, or permits personally identifiable information in connection business or profession) to maintain a retention policy (“develop and maintain written policies on the disposal of personal information”).
In a similar vein, the California Consumer Privacy Act (CCPA) states that the purpose of the legislature is to “enhance the privacy rights of Californians by providing consumers with an effective means of controlling their personal information…”.
Effective information control is a fundamental element of retention schedules; for companies to be able to cede this control to consumers, their affairs must first be in order, ie. that they must protect and manage information by designating, classifying, and storing it following the law.
Moreover, privacy laws like GDPR, CCPA, and South Korea’s Privacy Law (as a country-wide example) require a second-level approach to address the structuring of information (by extension, a retention schedule).
The information must meet certain criteria to be designated as containing personally identifiable information.
These criteria are defined in slightly different ways from one jurisdiction to another, but all agree in one respect: there must be a characteristic or a combination of characteristics that allow the identification of the person, ie. name and address, social insurance number, name, and date of birth, etc. These attributes associated with personally identifiable information are often more effective when assigned by record type rather than by a broader category as part of a retention schedule.
For example, it is not possible to determine whether a category of a retention schedule such as “accounts payable” contains personally identifiable information (we can assume that this is the case, but cannot be certain) before going deeper into the examination at the document level (e.g. customer invoices) and applying minimal criteria (does the invoice contain one or more characteristics corresponding to information making it possible to identify a nobody?).
Therefore, this two-tiered approach is necessary concerning retention schedules and information governance. Each level is crucial, and this kind of structure is essential to ensure compliance with the help of an M&A advisor.
Consider the example above, for a customer’s invoice, it is necessary to be able to rely on an “accounts payable” category in the retention schedule, because we need to assign accounting formulas to it to determine the period retention period required for accounting information (assume the retention period for accounting records is 10 years; this is the value used in many EU countries). It is also necessary to establish whether the broader category contains personally identifiable information and requires a more detailed list of the types of documents that can be “matched” to this category, because in this case,
Why is this important? Due to the requirement not to keep the information longer than necessary.
Without a retention schedule category to which we can assign a period required by law, it is impossible to define the retention requirement.
Since we have assigned a retention period required by the law of 10 years to the “accounts payable” category, we now know that we must keep this supplier invoice (whether it contains identifying information of one person) for the period required by law (10 years). In this case, the required retention period is 10 years.
It is now apparent that attempting to perform all these calculations without a retention schedule is virtually impossible. The retention schedule serves both as a compliance tool and for compliance documentation purposes.
If a business wishes to retain its accounts payable records for more than 10 years, it will be required to provide justifiable reasoning for doing so (such requests for extension of the retention period may be filed with the Privacy Commissioners for approval purposes, which is strongly recommended, particularly concerning the retention of consumer data) or may anonymize the information or destroy certain types of documents containing personally identifiable information. All in all,
So rather than remain dumbfounded and take no action at the alarming complexity of the multitude of privacy laws (and I don’t disagree that these laws are often confusing), take these relatively simple measures: ensure that your organization has a retention schedule (with the required second-level document support capabilities) and ensure that it is used uniformly and consistently across your organization.