I was working with clients this week and one of the topics that came up was data-retention periods. My part included educating them on what the law requires for personal information. Actually, the law is quite simple: You can only keep personal information for as long as it is necessary to fulfill the purpose for which you collected it. The difficulty, of course, is operationalizing that concept.
Around the table were business, marketing, sales, IT and privacy folks. Each had their own unique perspective, as I’m sure you might imagine.
One argument put forward was that the information is needed indefinitely because it was at least in part collected to help the organization do its business better. That means always having at its fingertips all the records that allow it to analyze the ins and outs of its programs, perhaps in ways they haven't even determined yet. I'm not too sure our regulators would agree with this reasoning.
Another topic that came up during the discussions was how an organization might be able to keep historical data but in some de-identified way. Again, you might imagine the direction of the conversation when we started talking about theories and practicalities of de-identification. The IT folks were partly intrigued by the challenge, but also wondering about the man-power necessary to get this done right.
All in all, I’m glad to have been part of the discussions. Frankly, I think retention and disposal are a couple of issues that merit further attention, so it's great that these folks are paying attention to this area. And I’m sure their work on this will only continue, because there’s one thing I know from doing privacy for the past 20 years … things are always changing and operationalizing our laws will always be a difficult task. A task worth tackling, mind you.
Have a great weekend.
If you want to comment on this post, you need to login.