When organizations come to us looking to implement or update a data retention policy, it’s usually driven by privacy compliance issues. With growing enforcement of global and domestic privacy laws, organizations are under pressure to minimize how long they keep personal information.
That’s a good reason to act, but when we dig in, the organization begins to see that privacy isn’t the only consideration, and in many cases, it’s not the most complex.
Retaining data “no longer than necessary” sounds simple, but there are multiple elements (and stakeholders) that feed into determining what that means. Regulators and business operations frequently have different opinions about what’s necessary. Organizations also have to consider legal hold requirements and general records retention compliance. Trying to meet privacy requirements without factoring in regulatory requirements or business needs is one of the fastest ways to get stuck. We’ve seen countless efforts stall out after multiple committee meetings and dead-end debates, or worse, a total failure to implement and enforce a retention policy because no business unit agrees with it.
Trying to meet privacy requirements without factoring in regulatory requirements or business needs is one of the fastest ways to get stuck.
The key to moving forward is recognizing that privacy and recordkeeping share a common objective: determining what needs to be kept, for how long, and then making sure it is disposed of when it’s no longer needed. Instead of two separate efforts, they should be a single, coordinated strategy.
Start with What You Have
Most organizations already have some kind of personal data retention policy, even if it’s an invisible part of a records retention schedule. The trick is modernizing your retention schedule to reflect privacy needs, then making the schedule easier to execute. That means going beyond just listing retention durations. A strong schedule includes a rationale for retention, identifies which records contain personal information, and spells out when the records should be deleted or destroyed.
When a client comes to us for a data retention policy, we help them determine what information they create, collect, and maintain, across systems, from databases to emails to file shares. Then we layer on the regulatory, legal, and business requirements, and match them to privacy considerations. For example, a financial services firm may be legally required to retain closed account data for seven years. Even if a customer requests deletion, that retention requirement holds. But after seven years, unless there’s a legal hold or business reason, the data should go.
Don’t Wait for a Perfect Answer
A common mistake is looking for a “perfect” answer, especially when it comes to justifying retention of personal data. Most privacy laws require some sort of business justification for the collection and use of personal information, but they don’t spell out what that means. Our advice: follow a documented, good-faith process, be transparent, be consistent, and document your decisions. That goes a long way in demonstrating compliance if you’re ever challenged.
We also urge clients not to let perfect be the enemy of good. If you wait for 100 percent consensus, you may never move forward. Start with what you know. Use versioning. Iterate. Make adjustments as the organization’s needs and activities evolve.
Build Consensus Alongside Compliance
The best policies and schedules we’ve helped create weren’t written solely by Legal or Privacy in a vacuum. They involved collaboration from Records Management, IT, Compliance, and most importantly, the business units that create and use the data. This collaboration is both political as well as practical. In fact, it’s critical. If business units don’t understand or agree with what the policy says, they won’t follow it. And without their buy-in, disposition won’t happen.
One of the smartest things we see organizations do is include business justification fields directly in their retention schedules. When someone asks, “Why do we keep this HR record for five years?” the schedule provides a clear answer. That clarity builds trust, reduces resistance, and makes enforcement easier.
Execution Beats Policy
At the end of the day, a beautiful policy that no one follows is worse than no policy at all. Make sure your policy is executable, use plain language, include examples, and build in automation where you can. Most importantly, don’t leave it on a shelf: train people, communicate changes, and revisit it regularly.
Bringing privacy and records requirements together into one unified policy isn’t always easy, but it’s absolutely doable. Once you do, you’ll have a foundation that supports compliance, reduces risk, and improves operational efficiency. That’s a win for privacy, a win for records, and a win for the organization.