A decade ago, companies devoted significant resources to creating and maintaining robust databases of customers and potential customers. Salespeople were taught to record not just names, addresses and phone numbers, but also little details such the names of the customers’ children, their favorite sports teams, their wedding anniversaries, and other pieces of personal information handy to reinforce personal relationships and generate goodwill. The goal was to develop closer relationships with customers so they would be more inclined to buy goods or services for you as opposed to your competitors. Having devoted time and money to capturing all of this information, companies justifiably wanted to maintain the information for long periods of time. Indeed, many kept information in the sales database forever – never purging information in the off chance that a lead would emerge years later.
As more states consider and pass sweeping privacy laws, however, companies are required to justify why they keep information, what they use it for, who they share it with, and how long they keep it. Gone are the days of storing lots of personal information forever with no reasonable chance of actually landing a deal. The emerging privacy laws require companies to limit the data they keep to only that which is directly tied to a legitimate business purpose. Companies are also required to disclose publicly the types of information they keep, the reasons why they keep it, and how long it is kept. The more data a company retains without any real chance of benefitting from it, the more complicated the required disclosures become.
Plus, companies need to secure and safeguard from hackers all of this data. Doing so increases operational costs spent on the technological protections required, the premium for cyber insurance to cover the risk, and the amount of training required for staff to prevent their inadvertently releasing or exposing the data. Keeping data that has no actual business value only increases the costs of responding to a (somewhat inevitable) data security incident.
There are lots of reasons why companies should examine the data they keep, where it is kept, why they keep it, and when it should be purged. States’ privacy laws compel this kind of examination, but it also makes good business sense.