Balancing Privacy Regulations and Retention Guidelines: Access Experts Share Their Insights
Access | Information Management
Your trusted information management partner to help take your business where it needs to go
Hi!?? Welcome to Advanced Access. This week, an insightful Q&A with Access experts on all things InfoGov. Gain industry insights into the rapidly evolving landscape of privacy regulations, as well as developments within the records management industry.
Stay up-to-date and never miss a valuable weekly post by subscribing today!
In our recent webinar, “Mission Control for Information: Balancing Privacy in the Cosmos of Records Management ,” Access panelists Omero B. , Senior Counsel; Samantha Poindexter , Counsel InfoGov; Adam Koonce , Legal Research Manager; and Robert P. Johnson , Engagement Manager, shared their perspectives on records retention, the rapidly evolving landscape of privacy regulations, and developments within the records management industry.
Continue reading to delve into the panel discussion and gain valuable insights from our experts.
Q: With privacy laws evolving rapidly across different regions, how do you recommend businesses stay compliant while ensuring efficient records management?
Adam: The broader your scope of business, the more likely you are to need support to ensure compliance. If you’re local or regional, you can likely manage to monitor privacy laws and legislation quarterly or annually. Contrastingly, if you are a global organization, finding a trusted partner to help you monitor the ever-evolving legislation becomes much more necessary.
Q: With different countries and regions creating their own privacy regulations, is it better for businesses to maintain separate regional retention schedules or have one global schedule that balances all these differences?
Omero: One global schedule with clearly defined exceptions is recommended. It’s more effective to have one schedule and accommodate as much as possible with the baseline retention requirement for all those jurisdictions that apply to your business. Separate regional retention schedules create confusion and can make it more complex to train employees.
Q: How do you recommend handling conflicting retention periods for different data types, especially when privacy laws like GDPR mandate data minimization and other regulations require long-term record retention?
Omero: If you have a regulatory requirement that requires you to keep information, data, or a record, then that is generally your reason for retaining it. However, it’s a balancing act; some jurisdictions will have regulations that say you are justified in retaining information for five years, while others give you stringent guidance. Work with your business leaders in that department to determine the real business needs, so you can defend your retention schedule.
Robert: Businesses must learn to navigate the complexities of these new privacy regulations, particularly regarding record retention. There are often contradictions within the laws themselves, making it crucial to understand how they impact your records, the information you collect, and how you store and dispose of information. This understanding ultimately dictates how you handle conflicting retention periods.
Q: What do you think about a redaction strategy for PII on records that require longer retention?
Adam: Moving toward electronic records simplifies the redaction process, as electronic documents allow for easier removal of sensitive information. Many laws are increasingly favoring electronic data over physical copies. However, the ability to redact varies by jurisdiction and depends on regulations concerning whether documents can be altered or must remain in their original form.
Omero: It can be an effective strategy; however, it’s sensitive to each organization depending on the business need and value. There is value behind the effort involved in anonymizing and redacting the data as long as the information will be needed for future use.
Q: What are some best practices for managing non-records, especially with an increasing focus on personal information regulations?
Omero: We’re seeing more non-records being covered in schedules to track retention and ensure compliance because of the frequency with which businesses pull data reports containing personal information. Although these reports aren’t the official record, you still want to ensure that you’re managing the lifecycle of that data, so you don’t over-retain it.
Q: Have you noticed any other significant shifts in the industry? In particular, from a traditional records management approach to a broader data lifecycle approach.
Samantha: There’s a noticeable shift in privacy laws toward a stronger emphasis on privacy and maximum retention limits. Previously, the focus was on minimum retention periods, but now organizations must balance these new regulations with the need to avoid over-retaining information.
Omero: There’s an increasing use of non-records data reports across business units within the same organization, leading to conflicts over retention periods. Different departments have unique needs for the same data, complicating retention requirements. This challenge highlights the importance of understanding the specific business needs driving the use of certain records or data, as multiple departments may rely on the same information for different purposes.
Q: Can you share any insights to help businesses determine the minimum or maximum duration to keep their records based on different laws and regulations?
Samantha: If the law applies, you must adhere to both while balancing your business needs or at least being willing to take the risk of not abiding by it. If we’re talking about a conflicting law for different jurisdictions, that’s when we call out an exception.
Q: Can you share any strategies you’ve seen as effective in balancing privacy regulations with your records management processes?
Omero: Privacy decision-making is a gray fluffy area. So, if you’re the record manager, you need to work with your privacy department, compliance department, or legal and analyze historical retention in the organization and make changes in retention schedules, as necessary.
Robert: Hire a controller in charge of data management and can offer an added layer of protection to stay legal and indefensible.
Adam: There’s a lot of variation in these individual state legislations that require someone who’s highly specialized in that field to recognize how these privacy regulations apply to your business operations or if it is applicable at all.
Q: What are your thoughts on AI, and what should people be aware of regarding retention and privacy?
Adam: The UK regulations emphasize protecting individuals from the effects of AI-driven decision-making. In terms of records retention, per the EU AI Act , there are specific requirements for high-risk AI applications, often necessitating retention periods of 5 to 10 years for decision-making records.
Omero: The primary focus of AI legislation is on privacy and bolstering current privacy regulations—essentially, doubling down on privacy when it comes to any AI systems you may be using.
Q: Do you recommend incorporating records protection requirements directly into the retention schedule?
Omero: Some records document your business’s procedures, policies, and response to security incidents, and those documents should have retention requirements assigned based on industry and state guidelines. The specific protection requirements are challenging to capture in the retention schedule and should live in a policy and procedures document instead.
Q: If a retention policy is based on business needs and follows the statute of limitations, let’s say privacy laws are dictating something else; which one takes precedence?
Adam: It really depends on what the privacy legislation specifically dictates. It can dictate destruction after six months, or it can dictate destruction after it’s no longer served its purpose. The language is vague because it allows you to navigate these otherwise conflicting situations, though it will lean heavily on statute of limitation most of the time.
To hear the entire discussion, tune into the recording of “Mission Control for Information: Balancing Privacy in the Cosmos of Records Management .” It promises to equip listeners with strategies for harmonizing privacy with records management in today’s data-driven galaxies.
Are you ready to improve the efficiency of your teams, lower records retention costs, and improve security and privacy? Virgo? is a cloud-based legal solution that informs your privacy and retention policies by continuously updating legal research in 220+ jurisdictions worldwide. See Virgo in action by requesting a 30-minute consultation and demo .