The second session at our annual Workplace Privacy Conference saw Benjamin Favaro and Joanna De Fonseka take us through how to design and successfully implement a workplace retention policy while being sensitive to the jurisdictional issues facing global employers.
Our top five takeaways are:
1. Don’t underestimate the importance of retention policies
Retention policies are crucial for managing both personal and non-personal data effectively. They ensure legal compliance, enhance operational efficiency, and reduce risks associated with data breaches, legal penalties, and reputational damage. Proper classification and management of data retention and disposal are essential to maintain data quality and support disaster recovery efforts.
2. Don’t hold onto data
Don’t hold onto data just in case it is useful. Not only does this lead to increased storage costs but it also increases your potential legal risks, e.g. purpose creep, data being exposed after a data breach, falling foul of the UK GDPR/GDPR principles, in particular data minimisation and storage limitation etc., as well as reputational issues and possible litigation.
3. Battle of the principles
It is important to balance the need for adequate and accurate data with the need for data minimisation and storage limitation. This is a delicate balance and no one size fits all. Be sure to document your decisions as it is evidence of your thinking should a regulator come knocking! This balancing act is particularly pertinent in light of the exponential growth of AI systems and the retention issues involved in the training of AI models. Think about how you would deal with a DSAR for data used to train AI systems?
4. Engage stakeholders across your business
Retention projects usually draw eye rolls and a distinct lack of engagement but it is important that the business understands the risks involved and the necessity to mitigate them. To drive engagement focus on why retention matters for that part of the business. Does having a retention policy help them in any way? Consider what you can automate. Remember retention is not just a legal issue, it is an operational issue too – everyone is responsible. Be practical and ensure you have any carve outs you need, e.g. provide for longer retention if litigation is contemplated. Don’t write the policy and leave it to gather dust on the shelf, audit, review, update it and make sure it works in practice and is followed.
5. Retention policies in a global organisation
It is well recognised that statutory retention periods differ in different jurisdictions, as well as codified legal systems preferring deletion (think GDPR), while common law legal systems prefer retention (think “in contemplation of litigation”). Be practical – think about the risks and take a measured approach. Focus on the largest systems that contain the highest risk data.
If you have any questions please contact Benjamin Favaro, Joanna De Fonseka or your usual Lewis Silkin contact.