I have a question related to retaining personal data processing consent records e.g. if a customer agrees for you to process their personal data related to buying a product. How long are you keeping their consent?
Gordon Brown, CRM
Program Manager – Information Management
Delta Air Lines
Well, that is a very, very loaded question! There’s many questions that can potentially help drive that answer, a number of which are pertinent primarily based upon the person’s citizenship and/or residency. But some of the regulations (ex. PIPEDA, GDPR) provide zero actual value in terms of an answer as they only state vague requirements for “as long as necessary for the purpose it was collected….blah, blah). Hence, you’re left to interpret what that means. CCPA then introduces additional criteria around organizational revenue per year, number of people/devices/households you hold data for (though I’m TOTALLY mystified by how “devices” can have personal data, but that’s a separate discussion), and the amount of revenue the org makes from California residents. Plus there is the aspect of eliminating those nominal time limits if the data is being retained for other legal/compliance reasons (including legal holds, obviously). Then, with the UK having nominally left the EU now, there may be new requirements that will come up there. And, I’m pretty sure China’s policy is probably something like “until the Party tells you otherwise” ��.
In the case of buying a product, you could interpret that, once the product is delivered and accepted, the information is no longer required and erase it. However, it is very obviously in the best interests of many organizations to continue to hold that data in order to reduce friction in the buying process if the same customer should come back in a week, 6 months, 14 months, or whatever other time horizon you want to talk about.
What I have personally noticed is that a number of organizations seem to be using 1 year as a general rule of thumb. Presumably this is predicated on the assumption that if the customer has not purchased, or otherwise interacted with the organization in such a way as to want to have that data available, following a 1 year period from last interaction, it may serve as a reasonable cut-off point.
Thus, you end up with something of a decision tree and you are forced (for all practical intents) to either go through a pretty ridiculous amount of effort to get auditable compliance into the higher 90’s percentile range, or accept a certain amount of risk for having a lower degree of auditable compliance. For a more extreme example, let’s say an individual in question is a dual EU/US citizen that lives mostly (though perhaps not exclusively) in California and the organization makes roughly 25M/year, and maintains data on approx. 51,000 people, but only about 42% of their data comes from people in California. You could drive an algorithm bonkers trying to apply just the right retention! ��
So, all of this is to say, I don’t believe that for an organization doing business in multiple jurisdictions there really IS a “right” answer. I see this as a case of ‘good enough’ not being the enemy of ‘good’ (which is a rarity).