Everything You Need To Know About Data Retention and PII

Everything You Need To Know About Data Retention and PII

2023 is set to be the year where data privacy takes the spotlight, meaning companies of all shapes and sizes will be under increased pressure to ensure they’re correctly storing, using and processing sensitive information like PII and PHI. 

While all companies want to be on the right side of compliance, meeting regulatory obligations can be more difficult for small and medium-sized businesses, which often lack internal expertise around privacy regulations and legal jargon.

To help you meet data privacy obligations and stay on the right side of the law, we’ll look at some critical data privacy topics over the course of this year, starting with data retention.

Here’s everything you need to know.

What is Data Retention? 

Data retention is the practice of storing and keeping records of data for a specific period of time. These policies are used by organizations to define how long they should keep different types of data, and to establish the process for storing, accessing, and disposing of data in a secure and compliant manner.

Data retention policies are typically designed to meet the needs of an organization, such as regulatory requirements, legal obligations, business needs, and technical constraints. For example, a company may be required by law to retain certain types of financial or personal data for a specific period of time, or may need to keep records of customer transactions for a certain number of years for business or accounting purposes.

Policies vary between organizations depending on the type of data and the purpose for which it is used. In general, data retention policies should be designed to balance the need to retain data with the need to protect the privacy and security of that data, and should be reviewed and updated regularly to ensure that they continue to meet the needs of the organization.

How Long Should I Retain Sensitive Information For? 

There is no specific time frame for how long companies are required to retain personally identifiable information (PII), which undoubtedly creates confusion. In essence, data retention is at your discretion, depending on your own data retention policies internally.

Saying this, some regulations do put in place rules around data retention. For example, the Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protecting the privacy and security of certain types of personal health information, has some hard and fast rules about data retention. .

Under HIPAA, covered entities are required to retain PHI for a certain period of time, depending on the type of information and the purpose for which it is used. For example, it requires covered entities to retain certain administrative and financial records, such as billing records and payment documentation, for at least six years from the date of their creation. 

HIPAA also requires covered entities to retain certain clinical and treatment records for at least six years from the date of the last service provided, or for the minor’s age of majority plus two years, whichever is longer.

There’s also the Gramm-Leach-Bliley Act (GLBA), a US law that requires financial institutions to protect the privacy of their customers’ personal financial information. Under this law,  financial institutions are required to retain records of their information-sharing practices for a period of at least five years from the date of their creation. In addition, financial institutions may be subject to other laws and regulations that impose retention requirements for specific types of financial information, such as records related to the sale of securities or the underwriting of insurance policies.

Can I Retain Data For Too Long?

In a word, yes. Retaining data for an extended period of time can pose a number of risks if it is deemed unnecessary or unlawful. Some issues that often arise include: 

  • Security troubles: Data that is retained for a long period of time may be at risk of being accessed by unauthorized individuals or being compromised in some way, such as through a data breach. This could result in the loss or theft of sensitive information, which could have serious consequences for the organization and its customers.
  • Legal fallout: Retaining data for an extended period of time can expose an organization to legal risks if the data is not managed and protected properly. For example, the organization may be sued for failing to protect personal or confidential information, or may be found to be in violation of laws or regulations that govern the retention of certain types of data.
  • Reputational harm: Data retention can also pose reputational risks if an organization is not able to manage and protect data effectively. For example, if an organization experiences a data breach or is found to be in violation of data protection laws, it could damage the organization’s reputation and lead to a loss of customer trust.

Of course, all of these risks can be mitigated by taking a careful and considered approach to data retention.  

Getting Started With A Data Retention Policy 

For organizations that want to improve their approach to data retention, but are unsure of how to get started, looking to a managed IT provider can prove invaluable. Providers like us can help you demystify your compliance requirements and provide actionable guidance on how to meet your regulatory obligations through training, policy development and implementation, and ongoing management. 

Ready to get started? Speak to our team today.