Alaap B. Shah, Member of the Firm in the Health Care & Life Sciences practice, in the firm’s Washington, DC, office, was quoted in TechRepublic, in “New Privacy Laws Require an Update to Document Retention Policies,” by Veronica Combs.
Following is an excerpt:
The new challenge is to make sure data minimization guidelines include a specific timeline for deleting unnecessary information.
Initially, the first goal of document retention policies was to make sure employees retained all company emails, texts, chats, and voice messages. The new goal is to make sure your policy includes a plan for getting rid of all that same information in a timely manner. …
Last fall, the Federal Trade Commission sanctioned a data warehousing and management business for keeping–and then losing through a data breach–consumer data that should have been deleted because it was no longer needed. …
The challenge with that requirement, according to Alaap B. Shah, a member of the Epstein Becker Green law firm, is understanding which federal, state, and industry-specific rules apply to which documents. He recommended starting with a robust data mapping and classification exercise to identify what kind of information is subject to what rules.
“Then companies can start to think critically about how to categorize those data, what rules or business needs may apply, and set retention and destruction schedules,” he said.