How to Ensure that Your Timing is Right for Data Destruction and Retention

Mar 20, 2019

Data retention and destruction has become a hot-button topic in recent years. Not only are data breach and identity theft very real threats, but recently, the consumer public has become understandably concerned about how their data is being stored and used.

Every country has their own rules and regulations concerning data usage and safety, but the European Union recently enacted the General Data Protection Regulation (GDPR), which guarantees consumers the right to opt out of consent regarding data collection, usage, and storage. Although the U.S. has yet to adopt such wide-ranging protections, there is a general sentiment that the GDPR has signaled a shift in how we’ll approach the use of technology and data moving forward.

That may be a problem for tomorrow, but as a business owner, you need to understand your current obligations where consumer privacy is concerned. When your customers entrust you with their confidential financial, medical, or other personal data, you need to know the rules related to retaining and eventually destroying that data.

When you collect data, you’re no doubt well aware of your onus to protect it. This is why you have digital protections like firewalls, passwords, antivirus software, and encryption in place. However, you should also know that there might be guidelines in place for how long sensitive consumer data should be retained.

The GDPR brought this issue to light with their proclamation that data should be kept “no longer than is necessary for the purposes for which the personal data are processed”. In other words, the amount of time data is retained should be directly related to how it is used, or more specifically, the purpose stated and consented to by the consumer.

Again, this is the new standard in the EU, and it doesn’t necessarily apply to data collected from US citizens, but if you’re unsure how long data should reasonably be stored, this is a decent benchmark that could help to protect your company and your customers.

There is very little ambiguity about how to destroy data, thanks to federal, state, and local laws designed to protect consumer privacy by ensuring complete destruction of data. As to when you should destroy data, this could depend somewhat on the type of data you’re storing and what it’s being used for. In some cases, it will be governed by industry regulations.

Industry Regulations
In addition to federal, state, and local privacy laws, many businesses are also governed by industry-specific regulations. Those who collect financial data or work in finance fields may have to follow rules set forth in FACTA, GLBA, or the Sarbanes-Oxley Act. Professionals in the healthcare industry are beholden to HIPAA standards for data security. Federal agencies must follow security controls laid out in NIST Special Publication 800-88. These are just a few examples.

As a business owner, you need to understand and comply with applicable privacy laws and industry regulations when it comes to retention and destruction of data. This is, of course, made easier when you partner with a certified ITAD service provider that complies with all current and applicable rules on your behalf.

If your Sioux Falls, SD, North Dakota, or Omaha area business is seeking secure and reliable IT asset management services, contact the qualified professionals at SEAM today at 605-274-7326 (SEAM) or online today to learn more.

SEAM provides IT recycling and data destruction services including onsite shredding and hard drive wiping to South Dakota, North Dakota, Minnesota, Iowa, and Nebraska.

Schedule a pickup or contact us for more information.