Best Practices for Effective Data Retention: A How to Guide

How compliant is your organization with the GDPR (General Data Protection Regulation) requirements that keep personal data only as long as needed for the purpose it was collected?  How easily could you prove your compliance if audited?  GDPR states that personal data must not be kept longer than the purpose for which it was collected and processed.  Organizations must ensure that information is gathered legally and that it’s not exploited.

Here are ten steps on how you can update your data privacy and data management practices, ensuring your organization’s compliance with GDPR’s retention policies  in the collection of personal data.

1. As part of your data retention policy, document the purpose for each data point you are collecting.  How will it be processed, at what frequency throughout the customer lifecycle and why.

2. Document and publish the trigger that will eventually initiate the deletion of each data point, and how long after the trigger the data will be actually deleted.

3. If there are any delays between the deletion trigger and the actual deletion, create documentation with specific reasons for the delay.

4. Be sure to plainly and directly share all information outlined in steps 1-3 above in your terms of service and any contract you have with a data subject (person) who is sharing their personal data with you.

5. Now you have alignment between your organization and the data subject on what data is being captured, how long it will be retained, the reasons for retaining it for this period of time and why.

6. Next you need an easy and reliable way to gain insights into your organization’s compliance data retention policy. If you cannot measure it, you cannot verify compliance!

7. The insights you need can best be surfaced, shared, and kept up to date with a data governance solution. A data governance solution lets you centrally store everything you need to know about your critical data, including compliance with your data retention policy.  All your data subject’s personal data can be regarded as critical data.

8. In the example above we see the following retention details about a critical data element.

1. 1. Its deletion trigger.
   2. Time from trigger to deletion.
   3. The related data retention policy.
   4. Where in what system the master deletion trigger resides.
   5. A description of how the deletion trigger must be interpreted.
   6. The level of compliance of each of your organization’s systems with respect to this critical data element and your data retention policy.

9. The process for calculating each system’s compliance with your data retention policy is represented visually below and should be executed against each of your systems at least once per month.

10. Compliance scores, aka. Retention Data Quality Scores, can trigger email notifications and resolution workflows whenever a score drops below your organization’s minimum acceptable threshold, which should really be 100% or extremely close to 100%. Retention data quality scores across your critical data elements and systems can be rolled up to dashboards.

These leading best practices for delivering transparency to your data retention policy, by critical data element, system, process, capability or however you would like to dimensionalize the level of data retention compliance across your organization.

Precisely Strategic Services is a team of experienced data integrity experts that is ready to help you overcome your data challenges. If you would like help achieving transparency in your data retention policies and your level of compliance then please reach out to us.

Our engagement model is, teach-to-fish, which means we will enable your teams to achieve sustained data excellence.  We will share with you leading best practices around people, process and technology for your company wide data programs.