We have seen a variety of approaches. This could mean a global policy with one schedule of retention periods that applies to all subsidiaries across the globe. Or it could mean separate country or regional schedules. Most documents, especially emails, lose their business value very quickly and there is often little to be lost in introducing automatic deletion periods after a fixed period.
This could be after one or two years. Email should not be a system of record and therefore it is important to set shorter and more ambitious time periods. However, employees have an emotional attachment to their email and many companies receive significant resistance to deleting or restricting email.
Any effort to limit email needs to be easy for the employees to implement. They need to have a way to keep emails that have value for them and not have to spend much time or effort deleting useless emails.
That being said, an increasing number of businesses are applying short retention periods to email as short as days and they are reaping the benefits. In some jurisdictions, business emails need to be retained much longer — but that does not apply to all emails in the company. Again, a solution may be to ask employees to sort certain emails into discrete locations. Alternatively, documents could be only stored in a central file system and linked in an email rather than be attached.
Following GDPR, many large vendors now provide systems with inbuilt, automatically triggered retention periods. Applying this type of functionality, at least going forwards, can dramatically reduce the amount of over-retention, especially, if the data being stored in the system is uniform. Historic data already within systems may require more thought. It may be appropriate to phase in retention periods over a period of time so that people have time to retrieve data that they may need.
Legacy systems and tapes can pose significant legal and business risks. Often, there is little knowledge about what exactly is stored on legacy systems and tapes. And, even if knowledge exists, there are usually practical difficulties in retrieving the relevant information. They often contain considerable amounts of personal data that really should have been deleted a long time ago. Why should this be a high priority project? Increased regulation and enforcement action In , we saw regulators put a renewed focus on how long businesses retain personal information.
How should businesses change their attitudes towards data retention? This is an incremental process which will help reduce risk over time. Bring in stakeholders from across the business who have a vested interest in tackling this issue, including: 1 privacy professionals who are looking to reduce the amount of personal data held; 2 record retention specialists who want to ensure good life cycle management of records and information; 3 information security experts who want to reduce the impact of cyberattacks; 4 the IT department wishing to reduce the strain on the IT systems and the cost of supporting legacy platforms; and 5 the legal team which — especially in the U.
You have an obligation to keep records securely for as long as they contain personal information so you need to make sure that you have processes in place to make sure the security is appropriate. A client asked whether all records should be kept for the same period.
The answer is no, each record will have a period that it should be retained for. All of your business records will not be retained for the same period. Whatever the period you decide to keep records, you should create a retention schedule stating what your records will be retained for.
If there is no best practice retention period available, then put the reasoning behind your retention decision into a document so that when you look back, you know how you arrived at that length of time. By the way, display screen equipment assessments should be kept for between 40 and 60 years according to the latest guidance. How long should I keep records?
Data deletion is one of the emerging challenges to tackle since you will be in violation of the GDPR if you are holding unnecessary data or if you are holding the data for too long. You can download our e-book Solution for GDPR compliant data removal , explaining how you can orchestrate data deletion in your company.
Try Data Privacy Manager and experience how you can simplify managing records of processing activities, third-parties, or data subject requests!
Explore all Modules. Consent and Preference Management Consolidate your data and prioritize your relationship with customers. Data Subject Request Turn data subjects request into an automated workflow with a clear insight into data every step of the way. Privacy Clear overview of all data and information regarding the individual data subject. Privacy Portal Privacy portal allows customers to communicate their requests and preferences at any time. Third Party Management Guide your partners trough vendor management process workflow.
Data Inventory Discover personal data across multiple systems in the cloud or on-premise. Data Flow Establish a business and operational control over complete personal Data Flow within your organization. Data Removal Introducing end-to end automation of personal data removal. Risk Management Identifying the risk from the point of view of Data Subject.
Focus on your priorities. Professional Services. Find a plan that's right for you. Small and medium business. Latest Blog posts. What are GDPR requirements for compliant consent? Learn the terms.
Standard data protection clauses. CIA Triad. General Data Protection Regulation. Latest Papers. Data Processing Inventory Download. Guide for a successful DPO Download. Privacy Risk Management Download. We are looking for resellers. Become a partner. Join us. Free Trial. Linkedin Facebook Instagram Youtube. Free trial. Consent and Preference Management. Data Subject Request. Privacy Privacy Portal.
0コメント