Data retention is a frequent reason for regulatory sanctions but is often overlooked by firms. These recent regulatory breaches, many accompanied by heavy fines, are cautionary examples:

• June 2023 - French advertising platform Criteo was fined €40 million for improper conduct in handling users’ personal data, one of the largest fines of its kind. Multiple breaches included disproportionate and excessive data retention which did not meet standards required to protect individuals' privacy rights.
• May 2023 - the Austrian DPA found facial recognition firm Clearview AI to be in breach of data retention rules by permanently storing data.
• March 2023 - Latitude Financial, a financial services company in Australia and New Zealand, was hacked, exposing the personal information of 14 million customers, including driver licences and passport numbers. This raised concerns about data retention practices, as some of the information stolen was over 18 years old.
• November 2020 - French retailer Carrefour was fined $3.23 million for multiple GDPR violations, including a breach of cookie consent and excessive data retention.
• January 2020 - Italian telecoms provider TIM was fined €27.8 million for excessive data retention.

But what are the regulatory and operational issues to consider, and how should financial institutions build a robust data retention operating model?

Data retention is a regulatory obligation, and regulations often set a range for how long data must be kept. For instance, MiFID requires data retention for seven years, while anti-financial crime regulations impose several different minimum retention periods. On the other hand, GDPR emphasises keeping data for the shortest possible time.

This creates a challenge for organisations. A clear understanding is needed of the data held and the specific retention requirements for each data type. This will allow the development of a single source of truth for managing data retention obligations across the firm, eliminating the siloed approach often found between functions like Financial Crime and Data Protection.

While achieving regulatory compliance is crucial, strong data retention policies offer significant operational benefits.

Firstly, excessive data storage can be a major financial burden. The cost of data servers, backups, and maintenance can be substantial. BeyondFS’s experience has shown that projects focused on optimising data retention often pay for themselves through cost savings.

Secondly, retaining unnecessary data increases a firm's cybersecurity risk. In the event of a cyberattack, the more data held (especially personal and financial data), the greater the potential impact. By minimising data storage, a firm can reduce the amount of data potentially compromised during an attack and minimise unnecessary fall out.

Simply having a data retention policy and schedule isn't enough. Effective operationalisation is key. This means developing clear processes to ensure the policy is operationally able to be followed, and robust controls to ensure it's working as intended.

We recommend using a three-pronged approach when helping our clients:

1. Review your data retention operating model

   to identify gaps in controls and opportunities to streamline processes

• Use data mapping to identify the data points your organisation collects, stores, and uses across all functions and services. This should include both outward customer facing services and internal functions such as Human Resources.
• Cross-reference this against the data retention schedule to confirm it is comprehensive. This can then be reviewed to identify the minimum length of time data should be retained for across both business need and regulatory mandate (noting that regulatory mandate should take priority if there is a mismatch).
• Assess the existing process for data retention across each function, line of business and data asset for inefficiencies, manual steps, or lack of proper authorisation controls for data deletion. This is often where (in addition to data backups) that money can be saved through ensuring processes are genuinely operational.
  
  

2. Reduce unnecessary data storage.

• Often overlooked, consider the process for managing data backups. Often firms have a strong process for data retention in live environments but retain data backups (at great expense) for significant periods of time.
• Assess your data storage infrastructure. Consider archiving to lower-cost storage options, and data compression to optimise storage costs.
• Consider how you could automate data retention processes, such as data classification, scheduled deletion tasks, and automated data retention reports.
• Explore the option of using data loss prevention (DLP) software to prevent sensitive data from being removed accidentally or intentionally during its retention period.
  
  

3. Foster good data governance.

   Data governance is a firm-wide responsibility, but risk and operational teams can play a vital role in championing clear policies and processes for data retention.

• Evaluate the effectiveness of your data governance framework in ensuring adherence to data retention policies. Identify areas for improvement, such as clearer ownership of data retention processes or enhanced user training.
• Develop a remediation plan to address identified control gaps. This may involve implementing new data security controls, comms planning around the importance of good data retention practices or automating data deletion processes.
• Review the security controls in place to protect data, including access controls, encryption, audit logging, and vulnerability management.
• Ensure your disaster recovery plan accounts for the recovery of retained data in case of a system outage or security incident.
• Establish regular reviews for your data retention operating model, to stay aligned with evolving regulations, business needs, and technology advancements.

A well-defined - and importantly, well implemented - data retention strategy is an essential tool which protects firms and their customers, mitigates regulatory risk and cyber security threats, and provides significant operational benefits. By taking steps like those outlined above, you can ensure your firm strikes the Goldilocks balance of data retention.