Keep Less, Risk Less. A Data Retention Schedule Isn’t Just a Legal Obligation: It’s a Strategic Tool

Beyond mere regulatory compliance, this requirement serves as a strategic approach to risk mitigation: retaining less data means fewer vulnerabilities, reduced costs and improved control.

The more data you retain, the more you expose yourself to:

-          High litigation and e-discovery costs due to the volume of evidence to process

-          An increased attack surface in the event of a security incident, potentially requiring notification of more individuals

-          Regulatory sanctions: the absence of a framework is a violation in itself

____________________________________________________________

Real Cases: Breaches, Fines and Damaged Reputation

• Desjardins retained nearly 3.9 million inactive files—some dating back decades—without a clear destruction process. The Office of the Privacy Commissioner of Canada found that this prolonged retention violated the Personal Information Protection and Electronic Documents Act (PIPEDA)and significantly increased the risk of personal data breaches, as demonstrated by the massive leak that occurred between 2016 and 2018.[1]
• TJX (parent company of Winners and HomeSense) offers another cautionary tale: driver’s licence numbers were kept indefinitely and were compromised during a major breach, resulting in millions of dollars in costs.[2]

• Ashley Madison had promised to delete user data. However, the post-incident investigation revealed that the deleted profiles were still being stored. The outcome: a US$11.2 million settlement and long-lasting reputational damage.[3]

These examples show that excessive or poorly managed retention of personal data can lead to serious and costly consequences: security breaches, regulatory investigations, class-action lawsuits and reputational harm. To mitigate these risks, having a retention policy is not enough—you need a clear, operational, and well-documented retention schedule.

What makes a retention schedule effective?

• Clear timelines, specific triggers, and documented proof of destruction
• Tailored processes and tools, with clearly defined roles
• Logs and reports that demonstrate actions taken

In the event of an audit or legal dispute, a well-executed retention schedule becomes a strong defence.

Regulatory Requirements

Quebec—Law 25

-          Section 3.2: Organizations must adopt a governance policy that outlines how personal information is retained and destroyed.

-          Section 23: Personal information must be destroyed or anonymized once the intended purposes have been fulfilled.

-          Section 91: Penalties may be imposed for improper retention or destruction of personal information in violation of Law 25.

Quebec—Regulation respecting the anonymization of personal information

-          Anonymization must be carried out under the supervision of a person qualified in the field, using techniques consistent with generally accepted best practices.

-          Organizations must conduct an analysis of the re-identification risks, maintain a detailed register of the anonymization process and periodically reassess the information they have anonymized.

Canada—PIPEDA

-          Principle 5: Organizations must retain personal data only for as long as required to serve the identified purposes, then securely destroy it.

-          According to the Privacy Commissioner of Canada’s guidelines, organizations must implement clear policies and procedures for the secure destruction of personal information.[4]

Here are the essential steps to establish and implement a compliant, robust and legally defensible data retention schedule:

1. Map the Data
   Identify categories of personal information, their purposes, legal requirements for their treatment, as well as storage systems and locations.

2. Set Precise Retention Periods
   Determine how long personal information should be retained based on legal requirements (mandatory minimums) and operational needs (justifiable maximums).

3. Establish Clear Triggers
   Examples include end of contractual relationship, expiry of legal limitation periods, file closure, completion of a project.

4. Automate and Log Destruction
   Implement technical and organizational mechanisms to purge data, while maintaining activity logs.

5. Document Proof of Actions
   Keep records, reports, screenshots or certificates showing that data was destroyed or anonymized in compliance with regulations.

Five Common Mistakes to Avoid

1. Keeping everything “just in case”—increases risk without added value.
2. No clear triggers: retention periods are in place but aren’t enforced.
3. Forgetting backups: data remains in backups.
4. No proof of destruction—hard to establish compliance.
5. Promising deletion… but failing to follow through—as seen in the Ashley Madison case.
6. Uncontrolled duplication of records: multiple untracked copies make it impossible to ensure complete deletion when the primary document is destroyed.

In summary, a well-designed retention schedule is a living tool. It must be updated, rigorously applied and thoroughly documented. It helps reduce costs, limit legal and operational risks, and protect your organization’s reputation. You can’t be exposed to a privacy breach for personal data you no longer hold!

Need support to ensure compliance, operationalize your policy or implement robust processes? Our team is here to help.