As a business owner, you’re probably well aware of data breaches, some of their causes, and the business implications. It seems like another company is hit every day and that they spend the following months explaining what happened and dealing with the fallout.
After a breach companies may struggle to compensate victims, regain customer confidence, and assure regulators that they have updated the company’s data practices. Breaches can even linger in public consciousness years later.
Though lapses in cyber security are often to blame, breaches are not always just a matter of lax protections or sophisticated hackers. Many times, a data compromise illuminates the question: Should that data have been stored in the first place?
“If you’re caught not destroying data, people could lose trust in the organization. The reputational damage is hard to come back from,” says Angie McHodgkins, associate director, data policy governance at RBC.
Whatever the data your company collects, you probably must keep it for a certain amount of time and destroy it immediately thereafter to avoid legal repercussions and public exposure. Data retention and destruction are key to protecting your data.
A data retention policy provides legal benefits as well as practical. Implementing policies for keeping and destroying data helps your business comply with regulations, maintain customer confidence, and operate efficiently.
How businesses benefit from data retention policies
“Any time you are dealing with people’s data, you’re likely to have regulatory requirements,” McHodgkins says. A data retention policy establishes rules for storing and destroying information per those various requirements, which collectively cover the personal information of employees and customers as well as other sensitive data like supplier records and transaction histories.
You also may improve information accessibility with a policy. “It allows for a consistent approach to how you organize, retain, and manage your data,” McHodgkins says, referring to RBC’s policies.
Retaining data takes up physical and digital space. Consistently destroying data can free up storage on your systems, thus allowing them to run faster and produce results sooner. You may save money as well because you would store less information by destroying data at the appropriate times.
“The cost to protect data is astronomical. The more data you have, the more data you have to pay to protect,” McHodgkins says.
Perhaps most importantly, implementing a data retention policy and sticking to it may help mitigate the damages if you suffered a data breach. “Regulators want companies to destroy data and follow their retention schedules,” McHodgkins says. “A breach could cause regulators to see data was over-retained.”
Regulators have historically fined companies upon finding that they did not have procedures for destroying data as required by law or that they did not follow the established procedures. Breaches have also prompted more regulations.
Privacy regulations raise the stakes
“Retention is getting a lot more visibility because of privacy protection laws like GDPR,” McHodgkins says, referring to the General Data Protection Regulation implemented in 2018 by the European Union.
Though the GDPR was implemented in Europe, it applies to businesses worldwide. GDPR covers any business that has employees in the European Union, sells goods or services there, or collects or processes personal data from its residents. GDPR challenges Canadian companies to change business operations across the organization, involving business functions like technology, marketing, and customer service, as well as data management teams.
“What GDPR did was say, ‘Your potential for fines is huge.’ That got companies listening,” McHodgkins says.
Closer to home, Canada’s anti-spam legislation (CASL) is also known for being strict. Focused on “commercial electronic messages” like emails and texts, it requires any business that sends such messages within, to, or from Canada to first obtain a recipient’s consent, and it imposes penalties for non-compliance. Just as GDPR enforcement does not stop at the European Union’s borders, CASL is not restricted to businesses within Canada.
Compliance begins with knowing requirements
Knowing what regulations apply to your company is the first step in creating a data retention policy that complies with those laws. “It starts with understanding who regulates your business and how,” McHodgkins says. At a financial institution like RBC, for example, that could include separate regulators for banking and securities trading as well as general business laws.
Your location also affects the data requirements. “You have to know what you do, where your employees are, and where your legal entities are,” McHodgkins says.
If you have multiple locations or do business beyond a single jurisdiction, you probably have to comply with the requirements of more than one regulator. If, for instance, you are based in Ontario you will be subject to provincial laws as well as federal regulations. Municipal bylaws could apply as well. Additional layers of regulations may be added for each office location or business market you operate in, weaving an intricate web of requirements that your data retention policy must meet.
And satisfying laws is only part of a data retention policy. “In the retention world, we juggle regulatory requirements. We juggle business requirements. And we also juggle that with industry best practices,” McHodgkins says. “You have to look at all three. In some cases, there may not be a specific mandate but the industry may recommend something.”
Best practices may make following your policies easier
You must also separate what you want to retain from what must be retained. Sometimes employees want to collect more data than necessary for a project and retain it longer than needed. This creates additional storage costs as well as complexities in separating data according to your regulations.
“Knowing what the requirements are when you start will alleviate so many headaches later,” McHodgkins says. Like if you gather data from the United States, United Kingdom, and Canada, you could organize it so that each data set would comply with your retention policy for that particular jurisdiction. If you merge all the information, it might be difficult — and costly — to separate the data and confirm compliance based on regional requirements.
Your company could have multiple data retention policies and you would have to comply with all. You must also assign responsibilities for retaining and destroying data as required by each policy.
Additional data retention policy best practices include:
- Considering types of data when creating a policy
- Deploying a data archiving system
- Allowing for extended data retention in the event of litigation
- Creating a detailed version of your policy for regulators as well as an easier-to-understand version for employees to execute
Much depends on how well your employees follow your policy. “If something reaches its limit, it should be destroyed,” McHodgkins says.
If you were to suffer a data breach and regulators were to find that data had not been destroyed as required, not only could you be fined, but you could also lose the trust of your customers and employees. You may then have to spend years restoring your company’s reputation and rebuilding your business.
This is why creating and following a data retention and destruction policy is an important step in protecting your business and your customers.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.