Key takeaways:
-
Privacy regulations require organizations to delete data that is no longer needed, but there is often ambiguity around how long that data should be retained. Companies must determine appropriate timelines for keeping data and when it must remain identifiable.
-
Implementing a clear data retention strategy supports both compliance and efficiency. Retaining excessive data for extended periods increases costs and introduces unnecessary risk.
-
Panelists recommended taking a cautious approach, using data minimization practices or synthetic data whenever possible.
-
When building support for privacy initiatives, framing the issue in personal terms can be effective. Asking business partners whether they would feel comfortable if their own data were used in the same way can help shift perspectives.
During our recent leadership panel, Empowering Analytics Through a Privacy Lens, members from the Enterprise Data Strategy Board and Data Privacy Board discussed how organizations can balance the value of analytics with the privacy safeguards required to protect sensitive data.
Below, we explore several audience questions on data retention, data minimization, and building a compelling business case for privacy.
Q: What are the key considerations for designing data retention policies that align with privacy regulations and organizational needs?
New Balance Athletics Global Director of Data Privacy Sarah Stalnecker began by acknowledging that this question is complex. Privacy laws generally require companies to delete data once it is no longer needed for the purpose it was originally collected. However, these laws rarely define a specific timeframe for when deletion must occur.
According to Sarah, determining the right retention timeline can be challenging for many organizations.
As quickly as we can make that data not identifiable, the sooner we can get to a place where you can run models and not trigger privacy requirements.
Sarah Stalnecker, New Balance Athletics
“Particularly as you think about AI and the use of data,” Sarah said. “You need more data to power AI models, so you really need to have conversations around what are the true legal requirements outside of just privacy for holding on to data.”
Then, Sarah explained that once legal obligations are understood, organizations can work with business stakeholders to decide how long data must be retained and when it no longer needs to remain identifiable.
“As quickly as we can make that data not identifiable, the sooner we can get to a place where you can run models and not trigger privacy requirements,” Sarah said.
Q: How can automated data management tools and data governance frameworks help facilitate compliance and retention requirements?
From a governance perspective, UPS Director of Strategy Zeenat Syed noted that success begins with properly understanding and classifying your organization’s data.
“For everything that’s highly confidential, tell us what is the retention policy for that,” Zeenat said. “Let’s talk to legal and our retention manuals and make sure that we have that catalog so that when we have projects that are using that data, they know what retention to follow.”
Regarding the tools to facilitate this, John Tucker, Director of Enterprise Data Governance at McDonald’s, said they utilized BigID to scan across their structured and unstructured data sources.
“We’ve classified those assets, and now we’re starting to really home in on retention schedules and make sure that they make sense from a business perspective but also are compliant with any sort of regulation out there,” John said. “We’re making sure that we’re only keeping the data that we absolutely need to leverage to run the business.”
John also emphasized the return on investment that comes from operationalizing retention policies and avoiding the storage of unnecessary data.
We’re making sure that we’re only keeping the data that we absolutely need to leverage to run the business.
John Tucker, McDonald’s
Sarah reinforced this point, explaining that storing data indefinitely is neither cost-effective nor low risk.
“You have to store the data and keep the data accurate,” Sarah said. “Then, you start running models on that data, which costs money, and if you’re running models on either bad data or too much data, it doesn’t really make sense. You’ve just literally wasted money.”
Furthermore, demonstrating the cost benefits of data deletion and retention requirements is a great method for gaining buy-in from other business lines.
Q: What is your approach to balancing data minimization with the ability to drive effective analytics for your business?
Principal Financial Group’s Assistant Director of Privacy and Data Protection Officer, Rebecca Whitaker, explained that this challenge is often best addressed on a case-by-case basis.
Many analytics use cases can rely on anonymized or synthetic datasets instead of personal data. However, Rebecca noted that business stakeholders may not always be familiar with these alternatives.
“Instead of immediately giving them a slice of chocolate cake, which is all the personal data that they want to consume, try something different at first to see if maybe you can get the same results you want,” Rebecca said.
For organizations with more mature privacy programs and sufficient budgets, Privacy-Enhancing Technologies (PETs) can provide deeper insight into how data is used while supporting compliance requirements.
Q: What are some other strategies you’ve used to encourage others internally to prioritize privacy?
Panelists agreed that building a culture of privacy awareness requires education across the entire organization. Making the topic relatable on a personal level can help employees understand why privacy matters.
“We often think about our day jobs, but privacy also affects us outside of work,” John said. “I think making sure people understand that and if you can meet them where they are and give them a different way to think about it. That’s what lends itself better from a data literacy perspective.”
One practical approach is asking business partners whether they would feel comfortable if their own personal data, or the data of friends and family, were used in the same way a proposed project intends. This perspective often helps shift conversations toward more responsible data practices.
Gain More Insights from Privacy and Data Analytics Leaders
Panelists shared many additional insights about how privacy and analytics leaders can collaborate to support business objectives while protecting consumer data.
You can catch all the insights shared by watching the full panel recording here.
If you’re interested in learning more about leading enterprise privacy or data strategy initiatives, consider joining your peers in the Enterprise Data Strategy Board. Members meet weekly to benchmark their approaches to artificial intelligence, data governance, and other critical challenges facing today’s data leaders.
