Every Company Should Have a Records Retention Policy—Here's Why

These days, headlines around the globe focus on conversations around data and data management. With the impending enforcement of the EU’s General Data Protection Regulation (GDPR) and increasing interest in how personal data is collected, leveraged, and maintained, it is more important than ever to audit the health of your employee data.

Traditional areas to audit include:

• Personnel files such as wage data or reference checks
• Documents containing employee personally identifiable information (e.g. social security numbers)
• Company emails and work documents

But data no longer lives in just the ‘traditional’ sources. As technology evolves, new data sources emerge that didn’t exist when regulatory environments were established. And, it’s no secret that enacting a regulation takes time. This time lag between new technology in the market and the law leaves many people (and their data) vulnerable, if left unchecked.

GDPR in a Nutshell

GDPR takes a stab at confronting the issue. In a nutshell, GDPR says that people have the right to their own personal data. And that individuals have the right to request access to that data, understand how it’s used, and “request to be forgotten”. The broad stroke regulation works to tackle the fact that new technology emerges constantly and, until legislation catches up, organizations might leverage personal data without the individual’s knowledge.

Because it is new, article 29 of GDPR creates a Data Protection Working Party (generally known as Article 29 Working Party) with the intention of providing the European Commission with independent advice on data protection matters and helping in the development of harmonized policies for data protection in the EU Member States.

“Since the publication of these documents, a number of new technologies have been adopted that enable more systematic processing of employees’ personal data at work, creating significant challenges to privacy and data protection.”

As employees send messages, modify files, and interact on the web, their digital fingerprint is constantly growing and changing. Digital communication generates more data than ever before, and while it can provide incredible insights, data controllers need to make compliance and risk mitigation a priority.

When Introducing Technology, Consider the Corresponding Employee Data

With enterprise collaboration platforms (e.g. Yammer, Workplace by Facebook, Microsoft Teams) entering organizations at an unprecedented rate, communication between colleagues is quickly transforming. More informal, frequent correspondences occur in private and public forums. This does introduce a new set of potential risks to the enterprise security ecosystem. It is imperative to monitor, secure and, when appropriate, destroy the data produced within this platform, just like any other source of employee data.

“Employers should always bear in mind the fundamental data protection principles…irrespective of the technology used, [and] the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications…”

The ‘contents of electronic communication’ applies to the conversations that take place in collaboration tools. Therefore, employees have the right to, as with all other records: request their own data, understand how it is being used, and act on their ‘right to be forgotten.'

In addition to these employee rights, the Article 29 Working Party also recommends not to ‘retain [personal data] any longer than necessary.'

Mitigate Risk by Being Proactive with Record Retention Policies

A clearly laid out Record Retention Policy (RRP), where paper and electronic personnel records and confidential employee data maintained by the company is destroyed when retention dates pass, helps defend against employment-related litigation.

Establish a clear policy on data backup and destruction including schedule, file location, methods of destruction and a records administrator. Consult your organization’s legal resources to define the retention dates for various data types.

A data management tool, like Aware, can help your organization implement its new record retention policy. Based on policies you select, the tool will destroy collaboration platform data when programmed retention date passes. By doing so, you can maintain compliance while protecting vulnerable employee data from exposure or a potential breach.

Securely Say “Yes” to Collaboration

With accelerating change in digital working and tool preferences – allow your organization to work effectively, on collaboration tools, while remaining secure and compliant. Aware by Wiretap gives you peace of mind that insider threats, gaps, and risks are minimized and mitigated.

Check out our information governance checklist  to better understand how you can safeguard your organization in today's digital environment.