The more data a company has, ideally, the more it can understand its customers, improve its products and services, reduce costs, improve product quality, etc.
As companies collect and store more data, they also face the risk of over-retaining information beyond its useful life, which may lead to bad business decisions. People’s needs, wants, and behaviors change over time, environmental cost factors change over time, products change over time, and product usage changes over time. At some point, data will become a liability and can have negative consequences for both the company and its customers. Additionally, over-retaining information can make it challenging for companies to comply with data protection laws that require companies to delete or destroy customer data when it is no longer needed. By over-retaining information, companies put themselves at risk of violating privacy-related laws and potentially causing harm to their customers if the data is exposed.
How does over-retention happen in a company? Traditionally, most companies’ Retention Schedules had “minimum” retention periods for each type of information which meant it must be retained for at least that long, but it could be retained longer. Additionally, retention periods were based in large part on how long a law or regulation dictated. Today, Retention Schedules should provide the exact retention period for each type of information – no shorter and no longer. The retention decision must be made by the corporation’s executive team to ensure all stakeholders’ interests are considered – legal, records, risk, privacy, IT, and business units. Furthermore, retention periods must consider business use of the information, not just laws and regulations. In many instances, information has true business value beyond what a law or regulation requires.
To avoid over-retaining information, companies can start by developing a retention policy that reflects what the company does for a living in the various jurisdictions it does business. That will inform what laws and regulations may be implicated. The applicability of laws and regulations and the use of data by various business units is becoming more complex with advances in technology, making it crucial for companies to inventory their data and determine how data is collected, used, managed, shared, and sold to ensure ALL data has a predictable end of life. It is also important to consider the secondary use of data when developing policies and retention schedules. As an example, data collected during a customer's application for a service or product may have multiple uses beyond its primary purpose. By understanding and accounting for these secondary uses of data in retention policies, companies can ensure a predictable end of life for all data.