Data Retention, Minimization and the Elephant in the Room
As U.S. states implement new second-generation privacy laws (there are currently 8 states – can you name all of them?), the rules regarding data retention are changing and you might want to be prepared – unless, of course, you enjoy spending tens of thousands of dollars on lawyers to defend yourself, hours being deposed and years spending quality time with your new best friends – your privacy litigation lawyers.
Two examples of what is required by California:
- A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
- A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of the following: … (3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
THIS LAW GOES INTO EFFECT IN A LITTLE OVER 60 DAYS
Another requirement is to conduct and document data protection and privacy impact assessments.
These assessments have to be retained and provided to the government if they ask.
Are you ready? Do you even know where all of your data is? Need help? Call us!
Credit: Privacy World