This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 4 minutes read

Using a Data Inventory in Conjunction with your Retention Schedule to Update your Privacy Notice for CPRA

Starting in January of 2023, businesses subject to California Privacy Rights Act (CPRA), may be required to publish the retention periods for all categories of personal and sensitive information they collect, manage, store, share, or sell. 

CPRA Section 1798.100. General Duties of Businesses that Collect Personal Information states that businesses subject to CPRA need to disclose:

The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

Imagine the difficulty of publishing a single retention period for all data elements that fall under the category “Personal Identifiers”, such as first and last name or phone number. Depending on whether these appear in a contract, help desk ticket, bill, or email, the retention periods will differ widely.

How can you use your data inventory to be compliant with the CPRA?

Companies likely already know that a complete data inventory is a key building block for a privacy program as it can be used to update the privacy notice, better allocate security controls, and respond to consumer requests in a timely and efficient manner. But companies may not realize that developing a data inventory is also essential for operationalizing a data retention program.  A data inventory can provide businesses with a systematic way to identify retention periods at a category-by-category level.

A data inventory for privacy compliance should not only include detailed information on assets that contain personal information, but also information on the business processing activities that a company is engaged in that process personal information.  Detailed information at the asset and processing activity level should capture at a minimum:

  • Data Subject (employees, customers, vendors, etc.),
  • Processing Category (there are 11 categories specified under the California Consumer Privacy Act (CCPA) and CPRA, including biometric data, personal identifiers, and geolocation data), and
  • Data Elements (the actual data elements captured or processed like device ID, phone number, purchase history, browsing time, etc.)

It is important that this information is not only captured, but also related appropriately to each other.  In other words, if you capture data on employees in an asset, you should also be able to identify both the higher-level processing categories and the specific data elements collected for those employees. 

In addition, each item in the data inventory, whether assets or processing activities, should include a question on the retention timeframe for that data.  The answer options for this question should match the standard retention periods from the company’s Records Retention Schedule but should also allow for respondents to indicate if a different retention schedule is in place and/or if the respondent is not sure.  Capturing that information at a granular level allows the Records Management team to confirm that the Records Retention Schedule has been operationalized throughout the organization.  It also allows the company to filter, search and summarize the information to be compliant with the many requirements of the CPRA.

Data retention regulations often deal with records (and in the case of the CPRA, specific processing categories), not assets.  Companies that maintain a data inventory at the appropriate level of detail will be able to query that data to create a matrix of key information on a category level.  The below chart shows an example of what the privacy notice might need to include starting in January 2023 using an example of just 2 of the 11 CCPA/CPRA categories.

Personal Identifiers
Examples of PI CollectedSources of PIPurposes for PI CollectionCategories of RecipientsData Sold?Retention Period
Name, postal address, email address, identification numbersFrom the Consumer, Clients, Service Providers, Government Entities, and Third PartiesProcessing Interactions and Transactions;
Managing Interactions and Transactions;
Performing Services
Clients; Government Entities; Data Processors and Storage Providers: Service ProvidersNo5 years after last transaction for customers, 3 years after separation for employees


Internet Usage Information
Examples of PI CollectedSources of PIPurposes for PI CollectionCategories of RecipientsData Sold?Retention Period
Information regarding interactions with our website, computer systems, and/or devices
From the Consumer, Service Providers, and Third Parties.
Processing Interactions and Transactions;
Managing Interactions and Transactions;
Performing Services;
Security;
Debugging
Marketing and Analytics Vendors and other Service Providers
No
12 months after the last transaction

If the CPRA requirements around reporting retention schedules don’t go into effect until January 1, 2023, why do I need to worry about this now?

While a year and a half may seem like enough time to prepare, companies should not underestimate the length of time it can take to create a comprehensive data inventory, develop a retention schedule, and operationalize it. In our experience, the timelines we have seen with our clients for each of these activities can vary significantly based on the size, structure, and data environment of the organization:

  • Data Inventory: 2 – 5 months
  • Records Retention Policy and Schedule: 2 – 4 months
  • Operationalizing a Records Retention Program: 6 months – 1 year

Even with a good set of data maps and a listing of assets to start with, capturing the required information for a data inventory takes time and will require participation of between 40 to 100 different individuals from within your company.  This effort requires significant business exploration and can be a very time-consuming step even with automation in place to assist.  Even if you already have a retention policy and schedule, in our experience, most companies have not operationalized it.  The deletion mechanisms and processes will need to be agreed upon with the relevant stakeholders and everyone will need to be educated on the plan and practice implementing it.

More stringent data retention requirements are coming, and organizations should take the time now to review their current data retention programs to update as needed and to operationalize to be compliant with the current and emerging privacy regulations. 

Given the complexity of the upcoming CPRA requirements, we are publishing a series of articles on this topic.  Our first article introduced and reviewed the unique data retention and notice requirements of the CPRA.  Our second article provided guidance on developing a functional records management program. Our third article reviewed the creation of a defensible disposition process. This last article provided guidance on how to use your data inventory to update your privacy notice with the required retention periods for each category of personal information.

© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. 

Tags

cybersecurity & data privacy, data privacy & cyber risk, f-risk, memo

Related Insights