Demystifying data retention

A lesson in transparency

Early in my career, a project manager who I worked with on a retention project said she found me to be “mercurial” when it came to advising stakeholders on retention. Flattering as it was to be referred to as “the oracle” on data retention, I was rather mortified to learn I was seen as something akin to a cold and unpredictable power dispensing mystical advice.

Over the next few months I introduced greater transparency to my approach, explaining why I was making the recommendations I made. Three months later, the same colleague proudly told me she could always pick what sort of advice I would give users and even felt confident giving advice on retention herself. Result!

Demystifying retention is really important to our colleagues and stakeholders. Demystifying how we arrive at the retention periods we advise for our users is probably one of the biggest things you can do to make retention much more approachable.

Here are some tips to make your process for retention management much easier for colleagues to understand:

Explain the different drivers for retention

Explain to your colleagues that retention schedules are shaped both by what the law requires and what the business requires. This may be disappointing news to some stakeholders who would prefer a hard and fast answer on how long things should be kept encoded in law. But business value is the biggest conversation to have with stakeholders. If people understand the basic principle of assigning a business value up front, the rest of the conversation will got a lot easier.

Talk to stakeholders about their business processes

One of stakeholders’ top concerns regarding retention management is that retention rules mean records will be deleted before the end of a business process. Projects are a classic example of this. Stakeholders might see a retention period of, say 6 years, and fear that records related to projects that run for decades will be deleted before the project has ended. This is the perfect opportunity to put stakeholders straight about retention triggers and the need to identify when the business process ends. This can be followed up with a discussion about how long records are needed after the business process ends.

Balance organisational interests with data subject rights

If stakeholders are managing personal data, they may already be aware that they need to manage this in line with GDPR.  This stakeholder group is probably the most frustrated to learn that the GDPR doesn’t tell us exactly how long we can keep personal data, but uses slightly evasive legal terms like “legitimate purpose” and “reasonable” which can be somewhat subjective. 

Sometimes, you may have to tell stakeholders that the period of time they propose to keep personal data is unreasonable e.g. 20 years for former customers. It may be unreasonable because they can’t point to a legitimate business reason to keep things that long, because it’s a real outlier in terms of industry practice, or because if you asked the person on the street what they thought of the retention practices they might find it unacceptable.

Conversely, sometimes you need to reassure a stakeholder that it is perfectly acceptable to retain certain types of personal data for a long time because it protects the rights of the organisation, and more importantly, it protects the rights of the data subjects themselves (for example, records which provide proof of ownership, benefits conferred or qualifications conferred).

Data retention can be challenging. Here at Metataxis, we’ve helped many organisations address these challenges. If you would like to learn more about practical data retention and records management, simply contact us.