 |
| How do you know when to throw stuff away? |
That's what I thought...
If your first question when reading the headline is, "What's a data retention policy?", you really need to pay attention. No, really.
A data retention policy is an internal written policy that sets forth how long you keep each type of personally identifiable client information. How long you really want to keep the information is going to depend on your type of business.
Things you'll want to think about when crafting your policy are:
- The types of information you collect
- How long it is reasonable for you to need each type of information
- How often you're going to purge your records (monthly, quarterly, yearly)
- How you're planning to destroy the information so that it doesn't fall into other people's hands
(This is something you should also consider when you're getting rid of a computer or server that has contained customer information. Just deleting the information doesn’t actually erase it from the hard drive of your computer. If you want more information on how to properly destroy information, let me know...)
A simplified sample data retention policy would look something like this:
Effective February 2, 2012
Bob Inc. collects each client's name, address, email address and phone number from its clients. In order to protect its client's personally identifiable information, it sets forth the following data retention policy.
Bob Inc. shall retain its client's information for three months after the date of the end of the relationship between Bob Inc. and its client with the exception of the email addresses of clients who have opted-in to receive emails from Bob Inc. on a continuing basis and/or any information that may be included in any contract between Bob Inc. and the client, which may be printed from the computer and kept in Bob Inc.'s corporate files.
Materials will be destroyed in a manner that prevents such data from being recovered by others (insofar as such destruction is currently technologically feasible).
Please note that if you're collecting financial or credit card information, you need to comply with other standards set forth by your state and/or federal laws. Make sure you check the laws in your states and the ones where you have customers if you're crafting a data retention policy.
Once you know all of these things, you need to make sure that you actually follow your policy. If you don't, it's not going to be worth the paper it's written on.
So, why do you want to do this? There are several reasons. First, you never know when you'll be subpoenaed or will be the subject of a lawsuit. If you have a data retention policy (and you follow it), it is assumed that you won't have information for them to discover outside of that.
The other reason is more practical and is going to be the subject of my legal blog (which I hope to finish this afternoon) which is about what to do when you have someone hack your system and steal your clients' information. The less inactive information you have in your system, the less people's information you have to worry about being stolen.
Just thought you'd want to know....
Please protect yourself.
If you'd like to receive notifications from Just1Group about new blog posts and other happenings (no, we don't ever sell or rent our list, but you can visit our privacy policy here for more details), please sign up for email alerts below.
Originally posted in my blog on Savor the Success on 2/3/09
No comments:
Post a Comment