By Will Fletcher — Zasio Legal Counsel
Data privacy law compliance is in large measure about showing your work. Five years into the swell of new comprehensive data privacy laws, privacy teams are getting used to ensuring their organization’s personal data activities are well documented. This means creating records—often lots of them. And for records managers, this means sorting out retention practices for all these new records.
This article identifies some key privacy law compliance records that records managers will likely encounter, and discusses how to apply classic retention principles to determine appropriate retention periods.
Types of Privacy Law Compliance Records
Article 30 of the GDPR requires organizations to maintain detailed records of their processing activities. This necessitates creating written documentation of processing activities and making them available to data protection authorities. Under CCPA, as well as a growing number of U.S. state privacy laws, organizations must analyze the risks associated with their processing activities through privacy impact assessments. Other records frequently generated through privacy law compliance include data transfer impact assessments before transferring personal data across borders, responses to data subject rights requests, breach assessments and notifications, personal data audits, and privacy-by-design assessments, to name a few.
Privacy law compliance records tell your organization’s story with respect to its personal data processing activities, such as its commitment to the letter of the law, thinking through privacy risks, respecting data subject rights, and curing defects.
Applying Basic Records Retention Principles to Privacy Compliance Records
By now we’re well acquainted with the storage limitation principle in data privacy—keep no longer than necessary. This has sent records managers scrambling to reduce retention periods for personal data. However, applying such aggressive deletion practices to data privacy compliance records can land your organization in regulatory trouble. For these, the tried-and-true general rules of identifying applicable legal requirements, and balancing risk with business need, are still largely your best practice.
Express Legal Retention Requirements
While less common than for other record types, there are still a number of express legal retention requirements that apply to data privacy compliance records. Breach investigation and notice records is a good example of where some of these can be found. Under Canada’s Breach of Security Safeguards Regulation, organizations must keep breach records for at least two years after the breach. In Iowa, state law mandates a five-year retention period for records documenting an organization’s determination that consumer notice of a breach is not legally mandated.
Another area for express legal retention requirements is under laws governing requests by data subjects to exercise data privacy rights. Under CCPA regulations, for example, an organization must maintain records of consumer requests for at least 24 months. Colorado’s Privacy Act regulations obligate controllers to retain records documenting responses to their consumer data rights requests for the same period.
While the GDPR does not specify retention periods for records of processing activities under Article 30, the subject is not without legal guidance. In 2017, the Belgian Data Processing Authority recommended keeping Article 30 records of processing activities for five years after termination of the processing activity.
But don’t let your search for legal retention requirements stop at data privacy-specific laws and recommendations. Retention periods in broader regulatory requirements can encompass records in your privacy compliance program, and where those are longer, they should be followed.
Where No Legal Retention Requirement Applies
When a record isn’t subject to an express retention requirement, records managers must balance business needs and legal risks to determine an appropriate retention period. To do this, records managers must ask how long their organization may need to justify its practices. This can mean turning to applicable statutes of limitation for guidance.
While statutes of limitations are not legal retention requirements, they’re a good measure of the time you may be called on by data privacy regulators or consumers to show compliance. Under the CPPA, administrative actions must generally be commenced within five years. The Illinois Supreme Court also in February clarified the general statute of limitations for civil claims under the state’s Biometric Information and Privacy Act (BIPA) is five years. But oftentimes, business need necessitates retention for longer than any regulatory or legal need, so whether to use an applicable statute of limitations as your retention benchmark must be evaluated on a case-by-case basis.
When setting retention periods, it’s crucial to understand the types of records your organization generates and which laws apply to these records. But knowing an organization’s specific regulatory and jurisdictional retention requirements, as well as balancing business needs and risk to determine retention periods, is something records and information management professionals have plenty of experience doing. For data privacy records compliance, it’s a matter of applying some trusted and familiar tools to a new set of records.
As privacy regulation expands, expect a lack of comprehensive privacy compliance recordkeeping to be a big part of regulatory actions. As a RIM professional, you can play a crucial role in ensuring your organization isn’t among those involved in these actions.
 Breach of Security Safeguards Regulations (SOR/2018-64) (amended Nov. 1, 2018): https://laws-lois.justice.gc.ca/eng/regulations/SOR-2018-64/page-1.html#h-858504
 Cal. Code Regs. tit. 11 § 7101(a).
 4 CCR 904-3-6.11.