Key takeaways:
- Privacy laws mandate companies delete data that’s no longer being used, but there is a gray area around the timeframe. Businesses need to determine the longevity of their data and how long it needs to be identifiable.
- Operationalizing a data retention strategy is beneficial from a compliance and ROI perspective. Holding onto too much data for too long is costly and risky.
- Panelists also suggested erring on the side of caution and leveraging data minimization or synthetic data whenever possible.
- When working to gain buy-in and promote privacy education, it’s useful to use personal positioning. Ask your business partners, “Would you feel comfortable if your data was being used?”
During our recent leadership panel, Empowering Analytics Through a Privacy Lens, Enterprise Data Strategy and Data Privacy Board members shared insights on how to balance analytics with the necessary privacy controls.
Let’s explore some of the audience’s questions about data retention, data minimization, and how to build a strong business case for privacy.
Q: What are the key considerations for designing data retention policies that align with privacy regulations and organizational needs?
Sarah Stalnecker, Global Director of Data Privacy at New Balance Athletics, kicked off the conversation by admitting this question is a bit tricky.
Privacy regulations mandate that companies delete data that is no longer being used for the intended purpose for which it was collected, but they don’t necessarily provide a specific timetable for doing so.
Sarah said it’s been challenging for businesses to determine what the timeframe will look like within their organization.
As quickly as we can make that data not identifiable, the sooner we can get to a place where you can run models and not trigger privacy requirements.
Sarah Stalnecker, New Balance Athletics
“Particularly as you think about AI and the use of data,” Sarah said. “You need more data to power AI models, so you really need to have conversations around what are the true legal requirements outside of just privacy for holding on to data.”
Then, Sarah said, you can begin to have conversations with the business to determine how long you need to hold onto data to fulfill its purpose and, more importantly, how long it needs to be in an identifiable format.
“As quickly as we can make that data not identifiable, the sooner we can get to a place where you can run models and not trigger privacy requirements,” Sarah said.
Q: How Can Data Governance Frameworks and Automated Data Management Tools Help Facilitate Compliance and Retention Requirements?
From a governance perspective, Zeenat Syed, Director of Strategy at UPS, said this question comes down to your ability to understand and properly classify your data.
“For everything that’s highly confidential, tell us what is the retention policy for that,” Zeenat said. “Let’s talk to legal and our retention manuals and make sure that we have that catalog so that when we have projects that are using that data, they know what retention to follow.”
We’re making sure that we’re only keeping the data that we absolutely need to leverage to run the business.
John Tucker, McDonald’s
Regarding the tools to facilitate this, John Tucker, Director of Enterprise Data Governance at McDonald’s, said they utilized BigID to scan across their structured and unstructured data sources.
“We’ve classified those assets, and now we’re starting to really home in on retention schedules and make sure that they make sense from a business perspective but also are compliant with any sort of regulation out there,” John said. “We’re making sure that we’re only keeping the data that we absolutely need to leverage to run the business.”
John further illustrated the return on investment of operationalizing a retention schedule and avoiding retaining data that is no longer useful to the business.
Sarah echoed this sentiment, saying that holding onto data in perpetuity is not a good practice from a cost or risk perspective.
“You have to store the data and keep the data accurate,” Sarah said. “Then, you start running models on that data, which costs money, and if you’re running models on either bad data or too much data, it doesn’t really make sense. You’ve just literally wasted money.”
Furthermore, demonstrating the cost benefits of data deletion and retention requirements is a great method for gaining buy-in from other business lines.
Q: What is your approach to balancing data minimization with the ability to drive effective analytics for your business, and are Privacy-Enhancing Technologies part of that?
Rebecca Whitaker, Assistant Director of Privacy and Data Protection Officer at Principal Financial Group, said this question is often best tackled on a case-by-case basis.
There are plenty of use cases that could utilize anonymized or synthetic data rather than personal data, and Rebecca noted that your business partners aren’t always as familiar with these options as those who work within the data community.
“Instead of immediately giving them a slice of chocolate cake, which is all the personal data that they want to consume, try something different at first to see if maybe you can get the same results you want,” Rebecca said.
If your program is mature enough and has the required budget, then Privacy-Enhancing Technology can provide you with those insights and a deep understanding of the business use of the data.
Q: Much privacy positioning focuses on fear and risks. What are some other strategies you’ve used to encourage others internally to prioritize privacy?
Panelists agreed that building a cultural awareness around privacy requires enterprise-wide education, which often resonates best when made personal.
“We often think about our day jobs, but privacy also affects us outside of work,” John said. “I think making sure people understand that and if you can meet them where they are and give them a different way to think about it. That’s what lends itself better from a data literacy perspective.”
Sometimes it’s a helpful tactic to ask business partners if they would feel comfortable if their data, or their friends and families’ data, was used in a particular way.
Gain More Insights from Privacy and Data Analytics Leaders
Panelists had a lot more to say about how privacy and analytics leaders can work in tandem to support business lines and protect consumers’ information.
You can catch all the insights shared by watching the full panel recording here.
To gain more insights on leading an enterprise (privacy or data strategy) program, learn how to join your peers in the Enterprise Data Strategy. Our members meet weekly to benchmark their strategies on artificial intelligence, data governance, and other key challenges.