Organizations carefully monitor legal requirements to ensure compliance with relevant laws and legal expectations. They establish Compliance Departments, audit operations, and approve across-the-board policies and procedures to ensure employees do what’s needed. The risk of non-compliance is significant, potentially leading to loss of rights, fines, and penalties.

Compliance and Privacy

Privacy is one of the fastest-growing compliance issues. In 2016, the European Union stunned the world with the GDPR (General Data Protection Regulation) privacy regulation. This was the first comprehensive privacy standard, which provided huge financial penalties for non-compliant organizations doing business with the EU. Many multinational companies commit significant funds to create new privacy compliance programs to prevent the release of personal identifying information (PII) and ensure the right to remove personal information from an organization’s database. Subsequently, California issued the first comprehensive privacy legislation in the United States, including a constitutional amendment establishing privacy as an “inalienable right.” Other U.S. states have followed with similar requirements and sometimes detailed and inconsistent differences. Thus, compliance with the myriad of privacy requirements forces organizations to commit significant funds and staff to ensuring compliance. 

Privacy Compliance and Records Retention

So, what does a Records Retention Program have to do with privacy compliance? Actually, records retention has nothing to do with privacy. Under the records retention program, the organization ensures that records are maintained for the legally required and internal business periods and then destroyed. However, when organizations systematically destroy records under a retention program, as a natural byproduct, they simultaneously destroy personal information found in the records. With old records and data no longer existing, the privacy program can focus on the more recent records. Thus, an organization would need to commit less money and resources to privacy, while reducing the risk of a privacy data breach.

Some privacy laws limit how long an organization can maintain personal data, with requirements such as: “personal data may not be kept longer than the reason for which it was collected.” While it might seem logical enough to keep the personal data until you ship a product or complete a task, you normally need it longer. For example, you need all the information on a sale or invoice as part of your accounting system and eventually your tax return to confirm your revenue and expenses for a much longer time. A Record Retention Program including legal research for all laws requiring the records to be maintained and provide justification for keeping the records for the required period, and not just for the reason the data was first collected.

While a Records Retention Program does not ensure compliance with privacy requirements, it does support compliance by destroying records with personal information from internal databases and reducing the risk of non-compliance. Yet, for this benefit, establishing a Records Retention Program costs a fraction of a privacy program and saves the privacy costs that would otherwise be needed to address older records that have been destroyed under the Retention Program.

IRCH and Privacy Compliance with a Records Retention Program

The key elements of the Records Retention Program include a Records Retention Schedule, procedures for implementing the program and destroying records, and training and audit to ensure compliance with the program. Creating a legally defensible Records Retention Schedule is a finite task with a finite cost and a short-term development timetable. Failure to establish a legally defensible program could result in improper destruction of records, leading to claims of spoliation (improper destruction of evidence), claims of “evil intent” to cover up wrongdoing, sanctions, fines, penalties, and loss of rights. Thus, a Records Retention Program ensures compliance with the myriad of national and international legal retention requirements and reduces the cost of and enhances compliance with your privacy program – two benefits for the relatively low price of one!

Information Requirements Clearinghouse (IRCH) is an expert at developing records retention schedules at a reasonable price using its extensive knowledge from forty (40) years in the field. Records retention and legal requirements for business records are our only business. Contact Donald S. Skupsky, President and CEO, at [email protected] for a free online meeting and proposal customized to meet your organization’s needs.