A company handbook and data retention policy are two critical steps in protecting your business’s data and limiting liability. Nothing kills a business quicker than non-compliance with relevant laws, and in the data-driven world of Web3, any company with a digital footprint should have comprehensive policies and plans to ensure they follow best practices, thereby protecting their customers and themselves.
What is a company/employee handbook?
A company/employee handbook provides employees with information about a business’s mission, values, policies, procedures, and code of conduct. They may sound dry, and they often are, but the information in company/employee handbooks can provide significant value for employees and businesses alike. A detailed handbook ensures that all employees are given forewarning as to the business’s policies and serves as an invaluable resource when basic questions about company policy and procedure inevitably arise.
Company/employee handbooks can and should outline expectations for current employees, but may also set forth policies and procedures that help operations run smoothly in the absence of instant oversight from higher-ups. Handbooks can ensure that policies and procedures are enforced and followed consistently as a business grows.
Given the data-driven nature of Web3 and digital assets, and particularly in light of its ever-changing regulatory landscape, one of the central policies covered by such a handbook should be a data retention policy.
What is a data retention policy?
A data retention policy is a policy or plan that details how and when a company stores and disposes of data. The policy may vary depending on the type of data, and how that data is used. Implementing such a policy helps companies track, manage, and if necessary, recover data in the event of a breach or other situation which leads to data loss.
While such policies are not always required by law depending on where an organization is headquartered and or doing business, a data retention policy helps protect data and avoid financial, civil, and criminal penalties which can follow from non-compliance or lax data management.
Such policies cover a wide range of information and records including but not limited to:
- Electronic communications and business correspondence
- Digital documents
- Accounting and tax data
- Invoices, sales, and billing information
- Personal information
With a data retention policy in place, companies can more easily follow the requirements of laws such as the European Union’s General Data Protection Regulation or California’s Consumer Privacy Act. Willful or negligent violation of such laws can result in fines totaling thousands, and in some extreme cases, millions of dollars. Companies with data retention policies have a more clear idea of what data they have, how they can store it, and how they can use it, and such knowledge makes compliance with regulatory requirements around the world significantly easier. However, a data retention policy doesn’t just help companies save money and time by limiting liability, it can also significantly lower costs associated with data storage.
Questions to ask and what to include when creating a data retention policy
A comprehensive data retention policy will start by defining its purpose, potential concerns, and scope. It will also discuss any and all laws that apply to the data covered by the policy. Next, the policy will detail retention requirements, which include a retention schedule, rules for safeguarding and disposing of data, and rules and procedures concerning breaches and compliance.
Businesses should also be sure to audit all data they have collected to ensure the policy touches on each type of data it stores. Such an audit can reveal crucial distinctions such as the location of your data and data subjects, which in turn may affect which laws and regulations apply.
To start, ask:
- What kinds of data do we collect?
- How do we collect our data?
- Where do we collect our data?
- How do we store our data?
- Where do we store our data?
- What laws and regulations apply to our businesses and the kinds of data we collect?
Answering the above questions is a strong start to the process of creating a data retention policy. However, given the dangers of non-compliance and the sometimes litigious nature of regulatory agencies around the world, especially within the United States, businesses should exercise caution and consult both their own internal compliance teams along with digital asset law experts such as the lawyers here at Kelman PLLC.
Fill out our contact form here to set up a free 30-minute consultation.
Written By: Wyatt Noble and Michael Handelsman