Starting in January of 2023, businesses subject to California Privacy Rights Act (CPRA) may be required to publish the retention periods for all categories of personal and sensitive information they collect, manage, store, share, or sell. CPRA Section 1798.100. General Duties of Businesses that Collect personal information states that businesses subject to CPRA need to disclose:
The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
In this article, we’ll provide guidance on how to develop a functional records management program to support compliance with this requirement of the CPRA. Companies should start by considering the overall records management environment, including:
- Stakeholder Alignment,
- Records Management Policy,
- Data Retention Schedule, and
- Change Management Strategy.
The first step is gaining stakeholder alignment, i.e., getting all relevant parties “on board” with what needs to happen. It is important to familiarize everyone with privacy concepts such as data minimization and purpose limitation. Emerging privacy regulations require companies to only maintain personal information for as long as it is needed relating to the original processing purpose and no longer. Doing so is no easy feat, as most organizations are hesitant to delete anything for fear they may need it later. Never mind that the exact reasons are hard to specify and the negative consequences for deleting the content in accordance with laws and regulations are even harder to define—we need to keep it “just in case” we might need it.
In the past, this argument was final, or nearly so. Without a specific, tangible negative consequence to cite, the “keep everything” contingent carried the day in nearly every case. The CPRA changes this calculus, however: the CA AG can, and likely will, demand proof of how organizations are deleting personal information after they have no legal obligations to keep it. Without a functioning records management capability, it will be very difficult for companies to prove to the CA AG that they’re compliant with CPRA. This is the “North Star” that you need to get your records management stakeholders to align toward.
Once all stakeholders are on board, the next step is to establish an effective Records Management policy. And while approaches to policy can vary from organization to organization, there are some constants.
- Policies should define the what, not the how. That is, they define what an organization seeks to accomplish through its records management program, not how it will get there. No “click here, click there” information should be in the policy—those are best left for procedures or, better yet, guidelines.
- Policies should be insulated from frequent changes. Once approved, they should stay in force for at least two years (all things being equal), and references to other policies or domains should be brief (references only, if possible) so that changes in these domains don’t require changes to the core policy.
Once an effective policy is in place, you should turn to the retention schedule to determine whether (1) it contains the right number of record types, (2) it has enforceable retention triggers, and (3) business end users can read and understand it.
With these in place, you should turn to change management and implementation. The goal is to define the stakeholders who need to be communicated with, the change management events needed, the requirements for the collateral to be developed, and the schedule and timeline.
Of course, a plan is of no use without implementation, so it’s critical to deliver the training and communication collateral effectively and consistently. And beyond that, in-person follow-ups, whether face-to-face or over video conference, are key to reinforcing the policy and associated procedures you’ve published. At first, these will need to be frequent. But as time goes on, you can transition to a “run and maintain” cadence, interfacing with key records management business unit contacts on a quarterly, semi-annual, or annual basis, as your organizational context requires.
Given the complexity of the upcoming CPRA requirements, we are publishing a series of articles on this topic. Our first article introduced and reviewed the unique data retention and notice requirements of the CPRA. This is our second article providing guidance on developing a functional records management program. Our third article will review the creation of a defensible disposition process. Beyond the compliance infrastructure that records management provides, you’ll need an effective, actionable process for disposing data past its retention that’s defensible in court, before regulators, auditors, and others. The last article will provide guidance on how to use your data inventory to update your privacy notice with the required retention periods for each category of personal information.
The information provided in this article is for general informational purposes only and does not constitute legal advice.