Developing a Defensible Disposition Process
Starting in January of 2023, businesses subject to California Privacy Rights Act (CPRA) may be required to publish the retention periods for all categories of personal and sensitive information they collect, manage, store, share, or sell. CPRA Section 1798.100. Given the complexity of the upcoming CPRA requirements, we are publishing a series of articles on this topic. Our first article introduced and reviewed the unique data retention and notice requirements of the CPRA. Our second article provides guidance on developing a functional records management program. This third article reviews the creation of a defensible disposition process.
General Duties of Businesses that Collect personal information states that businesses subject to CPRA need to disclose:
The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
In order to comply with the retention requirements of the CPRA, companies need to support records retention with an effective, actionable process for disposing of data past its retention that’s defensible in court, before regulators, auditors, and others. In this article, we’ll provide guidance on how to create a defensible disposition process.
Companies should consider adopting the following principles to guide their development of an effective defensible disposition process. Disposition should:
Be repeatable and predictable
Be a process in support of a policy
Rely on low/no human decision-making during execution
Be consistent, documented, and repeatable – perfection is not required
We’ll dig into each of these in the rest of the article to help guide you in better understanding and leveraging them in your own company to ground your disposition efforts.
First, defensible disposition needs to be repeatable and predictable so that courts, regulators, auditors, and others do not view your disposition process as “capricious”, i.e., subject to whim. It is generally not good for a court, regulator, or auditor to consider a compliance activity capricious, because capriciousness often leads to inconsistent or erratic execution—both of which undermine efforts to demonstrate defensibility. Rather, your goal should be that courts, regulators, and auditors view your disposition process as the result of a considered, reasonable effort to comply with laws and regulations.
In order to do this, defensible disposition should be developed as a process in support of a published policy that codifies the “what” of disposition, whereas the process will provide the “how”. In general, companies could address the “what” of disposition in several ways, from including it in adjacent policies (such as records management or information governance) to addressing it in a stand-alone policy (such as information lifecycle management or data clean up). But no matter how your company chooses to address the “what” of disposition, the “how” may not be defensible unless you take the time to develop and document the process.
Another important principle for defensible disposition is to design the process to require low (or no) human decision-making for successful execution. After all, if the disposition process requires end-users to decide whether each piece of data should be disposed of, it will be impossible to scale across even a single terabyte of data and the millions or tens of millions of documents or rows of data it contains. Furthermore, if end-users must decide what constitutes “stale”, “junk”, “redundant”, or “sensitive” data each time the process is executed, it introduces the likelihood that different end-users will make different decisions when faced with the same (or largely similar) data—which in the eyes of courts, regulators, and auditors will be deemed to be capricious, i.e., not defensible. For that reason, all meaningful decisions should be made when the process is being defined rather than deferring these hard decisions until run-time.
Finally, although defensible disposition is founded on a consistent, repeatable, documented process, it absolutely does not require perfection. Courts, regulators, and auditors generally look favorably on compliance activities that are based on policy, rely on documented processes, and minimize individual decision-making—even if the results of that process may have been sub-optimal in any given instance. They generally look unfavorably on compliance activities that are not based on policy, lack a documented process, or rely overly on human decision-making—even if the results of that process in any given case are optimal, because this will ultimately lead to inconsistent or erratic execution.
Although you will still need to write and adopt a policy to support disposition and define a process to effectuate it, these core principles will help ensure that whatever you develop will be more defensible should you ever need to justify yourself to courts, regulators, or auditors. The last article in this series will provide guidance on how to use your data inventory to update your privacy notice with the required retention periods for each category of personal information.
This article is authored by Joe Shepley and Collen Yushchak from the Ankura Cybersecurity & Data Privacy Practice. We received permission to republish the article here for the ADCG Community. The original publication can be found here.