Walking the Line between Growing the Business and Data Retention Compliance
Growing the business: When you know your guests you can anticipate their needs and turn them into regulars. A winery can gather data about guests such as their wine and food preferences, visit history and more. The more you collect, the better, right?
As it turns out – not always.
Personal data is increasingly regulated at the state level with privacy retention requirements dictating that data shall not be retained for longer than it is needed as defined by your policy. This is different than records retention where the length of time is generally “no less than” the legal requirement to retain, usually in years, rather than days or months.
The legal and compliance risks associated with a violation of a data retention policy are much different as well. If a record is kept for longer than the legal requirement, the biggest issue is generally the cost of storing it longer than needed, followed by the cost to parse through records for relevant data for responsive records should there be a lawsuit.
With data retained longer than required, the risk is fines, potentially very large, as Meta (the technology company based out of California) found in its GDPR violation ($1.3 billion!) and Sephora (a French, multi-national cosmetics and retail beauty company) with the CCPA settlement ($1.2 million).
- How do you balance the need for customer data to make your winery profitable against the risk of keeping customer information too long and losing those profits to a fine?
- How do you identify and remove a customer’s data when the client requests to be forgotten? Have you considered all the areas in which your client’s information can reside:
- Can you find their data across all your departments, like marketing, wine club memberships, customer service, accounts receivable, event planning?
- Have you defined who manages the data gathered in customer onboarding forms and where the information is now
- If you offer personal wine service via QR codes at specific locations in your vineyard, who manages the data collected from those requests?
- If you have boxes and boxes of paper forms in the warehouse, who is responsible for removing specific customer data from those paper documents to be compliant with data governance regulations?
The answers to the roles and responsibilities are defined in Policies and Procedures Manuals focused on data, information and records management. This means that your employees should be trained in both the “how” and the “why” to improve understanding and compliance. A first step toward compliance is deploying a content management system for all departments with “Least Privilege” so that only those with rights to specific pieces of information can even look and then have access to them. When a request to be forgotten is received, you will have only one place to look, (once the P&P and training are complete!). This ensures that your team has completed the tasks necessary to be compliant and provides you with peace of mind.
If your data, information and/or records Policies and Procedures have not been updated since January 2023, (or if you have not started the compliance process and your procedures do not even exist yet!), reach out to Western Integrated Systems for an informative assessment and cost-effective roadmap to compliance. Our technology and information governance experts provide an easy to understand and efficient manner to implement solutions, in a language everyone can understand. Waiting to see if you incur fines is not the answer. Contact us today, Western Integrated Systems has the solution.