Summary: Data privacy laws are growing at a rapid speed. Since 2017, five states in the US have already enacted their privacy laws, with more to follow suit. A dominant element of these laws covers the retention and disposal of data, which every business must understand before starting the compliance process. This blog provides insight into the need for data retention and disposal in the age of growing data privacy laws.
“Every company has big data in its future, and every company will eventually be in the data business,” Thomas H. Davenport, acclaimed professor, and author. These words seem almost prophetic when we see the incredible speed at which we generate, process, and store data. The market estimates that by 2030 we will have around 572 Zettabytes of data which is about ten times more than today. Businesses are spending billions to protect this data from being compromised. Yet, yearly losses have been mounting, and the average cost of a data breach has reached a staggering $4.24 Million per incident. Cases of cyber-attack, data leakage, data breach, and misuse profoundly impact business sustainability.
The increasing severity of these attacks has prompted many governments to enact strict data privacy and protection laws. With existing acts like the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and additions of the General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA), New York Stop Hacks and Improve Electronic Data Security Act (SHIELD) and Virginia Consumer Data Protection Act (VCDPA), a clear trend of growing data privacy laws is visible. Growth in data collection and storage, the rising cost of data breaches, and strict mandates of data protection laws have contributed to a critical need for implementing a robust data retention and disposal policy for all businesses.
What is Data Retention?
Data retention can be defined as the process of storing data for a specific time as required by business or compliance requirements. It is a critical part of policymaking as data retention policy outlines the efficacies of managing and storing data to ensure operational efficiency, meeting compliance, and legal requirements. Data Retention guidelines feature extensively in data privacy laws. For example, GDPR mandates data retention for businesses to retain data as long as it serves the purpose of data collection. The laws that followed GDPR align closely with it and have similar requirements for retention. The latest amendment to CCPA, the CPRA, will come into effect in July 2023 and requires organizations to disclose the period businesses will retain the data or the criteria used to decide retention.
Similarly, Virginia’s CDPA to be effective from January 2023, the New York SHIELD Act, and the privacy law enacted in the states of Utah and Connecticut all specify data retention mandates for businesses to retain data for as long as it serves the purpose of collection and to permanently delete or erase such data that are redundant and may infringe the privacy of data subjects. Data retention is a major aspect of existing and emerging data privacy laws. For example, the laws require businesses to ensure data minimization (to collect only necessary data), purpose limitation (to use it only for the purpose it was collected), and data storage (to store data only till the time it is necessary to fulfill the purpose of collection).
What is Data Disposal?
Data disposal is the final step in the data lifecycle when the data is disposed of through data destruction. When data is disposed of using the logical technique of data destruction or erasure, it destroys the data and renders recovery impossible. It is an important aspect of safeguarding the data from leakage, breaches, and data protection from cyber-attacks. Data destruction is a compliance requirement under various privacy and protection laws. For example, CCPA gives consumers the right to have their data deleted. The company must comply with the request to delete by following data disposal guidelines. The data disposal must render the data unrecoverable and be done within a stipulated time. Similarly, according to Article 17 of the GDPR, the data subjects are granted the right to have their data (Personal Information) deleted. The law also stipulates that the deletion request is honored without delay, usually 30 days.
GDPR laid the framework for global data privacy laws that followed it. The guiding principle for data disposal is the “right to erasure” & “right to be forgotten”. It mandates businesses to honor the request in a time-bound manner and ensure the disposal is secure and beyond recovery. The data disposal must also be certified to ensure compliance by maintaining a verifiable audit trail. The recommended method of digital data disposal is using a software-based approach, which overwrites the data, renders it completely unrecoverable, and promotes media reusability. NIST 800-88 guidelines for media sanitization introduced a crucial element in data disposal: verification and certification of data sanitization. BitRaser data erasure software is an ideal solution that securely erases the data, verifies the erasure, and generates tamper-proof certification ensuring compliance with GDPR, CCPA, HIPAA, and other global data protection laws.
Benefits of Robust Data Retention and Disposal Policy:
Businesses benefit immensely from having a data retention and disposal policy as part of overall data management. It prepares an organization to implement best practices of data protection and safeguards against threats:
- Lower Risks: Retention of necessary data combined with a data destruction policy reduces the data footprint across the organization. This reduction in data diminishes the area in which an attack can be launched.
- Reduced Costs: Implementing a policy that generates verifiable trails reduces overall security controls and overhead costs of audits. Secure and permanent data erasure also increases the utility of media devices.
- Promotion of Circular Economy: It promotes reusability that reduces asset costs and risks associated with data leakage and promotes a circular economy that, in turn, reduces the environmental footprint.
The benefits of a robust data retention and disposal policy are far-reaching regarding meeting compliance, increased security, protecting the brand value, increased customer confidence, and safeguarding from the risks of fines and penalties.
However, it requires careful planning and strategizing as a requirement for an organization to dispose of data does not rule out the necessity of data retention. This conundrum can be a challenge for organizations seeking compliance with international laws. Organizations must weigh the legal, business, and cross-border compliance and industry requirements before finalizing the policy.
Fines & Penalties: Consequences of Non-Compliances:
Data privacy laws are very strict on non-compliant organizations and can levy heavy fines and penalties that can be detrimental to the company’s future. A few examples of fines where retention and disposal guidelines were not followed are mentioned below:
- On 22nd June 2022, Denmark’s DPA levied a fine of Euro 134,000 on Gyldendal A/S for violating Article 5.1 (e) of GDPR and keeping the data of 685,000 unsubscribed members of its book club for longer than necessary.
- UK DPA fined Clearview Al Inc. EUR 9 million on 18th May 2022 for violating Article 5.1 (e) and others by not providing a data retention policy that made the company unable to ensure that data was not held for longer than required.
- The Spanish DPA fined Google LLC EUR 10 million on 18th May 2022 for violating Article 17 of GDPR by not providing data subjects any scope of exercise their right to erasure.
- Italian DPA received numerous notifications against TIM (Telecommunications Operator) for violating numerous guidelines regarding data retention under Article 5 and data deletion under Article 17. As a result, the company was fined EUR 27.8 million on 15th Jan 2020.
These examples highlight the importance of data retention and disposal for organizations and the urgency to implement them.
Data Retention and Disposal- The Time to Act is Now
Countries are reeling from the effects of data breaches and cyber-attacks, resulting in the loss of billions of dollars in fines, penalties, and revenue. The emerging data privacy laws are levying heftier fines on non-conformity, non-compliance, and lackluster handling of cyber-security and data protection directives. The need of the hour is to understand the privacy laws, what they mean for a business, and how to implement the best practices to ensure compliance and safeguarding of data. A lack of knowledge makes businesses more vulnerable to regulatory fines, penalties, and unintentional data breaches. In addition, data retention and disposal requirements today have become complex. Businesses must remain a step ahead by being aware, having a documented data retention and disposal policy, and crafting compliance SOPs within the organization to ensure adherence to data protection laws. Contact us today for your disposal needs and learn how a professional and certified data erasure solution can keep you a step ahead of compliance needs.