There is a strong business case for defensible disposition, which is the process of disposing of company information when it is no longer needed for business or legal purposes. Key business benefits for defensible disposition include saving costs for storage; improving operational efficiency by better enabling employees to access needed information without having to wade through unneeded information; and reducing the amount of information that must be reviewed in the context of litigation or investigation. With data estimated to double every 18 to 24 months, the business case for defensible disposition is stronger than ever.
Recent regulatory developments in the U.S. and EU provide additional support for defensible disposition in companies that collect, store, and process personal data. In this post, we highlight two recent developments in U.S. and EU privacy regulations that support defensible disposition from a privacy-risk management perspective.
- FTC Cites Lack of “Data Deletion Policy” in LabMD Opinion
The FTC’s opinion and final order in In re LabMD, Inc. illustrates the importance of disposition as a measure to help reduce a company’s privacy risks. The FTC recently issued a decision finding LabMD’s data security practices were unreasonable and violated Section 5 of the FTC Act. The FTC listed LabMD’s failure to delete personal data among other information security lapses. “Because LabMD had no data deletion policy and never destroyed any patient or billing information it received since it began operating, the amount of information on its network was extensive and included copies of personal checks and credit and debit card account numbers in addition to medical information.” (LabMD Opinion of the Commissioner, at 15).
A defensible disposition strategy, on its own, would likely not have been enough for LabMD to avoid the FTC enforcement action, which requires LabMD to establish a comprehensive information security program to be assessed periodically by independent third-party auditors. But LabMD’s failure to routinely delete personal data unnecessarily compounded its risk.
- EU General Data Protection Regulation Raises the Stakes for Defensible Disposition
Companies that offer goods or services in the EU or monitor the behavior of individuals in the EU (e.g., tracking Internet users for purposes of analyzing or predicting personal preferences, behaviors, or attitudes) have an increased need for defensible disposition with the forthcoming European General Data Protection Regulation (“GDPR”). The GDPR mandates timely disposition of personal data by prohibiting the retention of personal data in identifiable form beyond the time period necessary for achieving the purposes for which the personal data is processed. Routine disposal will also help companies reduce their burdens under the GDPR’s greatly expanded individual rights provisions, including rights to erasure (another disposal requirement, triggered by a request from the data subject), portability, and access.
Companies that that offer goods or services in the EU or monitor the behavior of individuals in the EU should begin taking compliance measures, including defensible disposition, as soon as possible. Although the GDPR is not effective until May 25, 2018, its broad obligations will take significant time to implement. Because the GDPR raises possible fines for privacy violations to the higher of 4% of global worldwide turnover or 20 million euros, we anticipate that the GDPR will be a key driver for companies governed by it to improve governance of personal data, including defensible disposition.
Companies often recognize the business value of defensible disposition, but fail to view its implementation as an urgent need because it is not seen as a compliance mandate. However, recent regulatory developments demonstrate that defensible disposition is not only an information governance best practice but also a strong component of a data privacy program. Before implementing defensible disposition, a company needs an actionable Records Retention Schedule (“RRS”), a comprehensive Information Governance Policy and a solid legal hold program in place to help ensure that it retains the records and information needed for business or legal reasons. Next week, we will post tips for developing an actionable RRS.