Retention Discussion with John Montana

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 39 minutes
Video Transcription
Hello. Welcome everyone pleased to bring you. Mr john montagna. He is a
expert in records management and attorney in the field
and I'm honored to have him join us today to help us understand better how
privacy has impacted him as a professional. And
john you've been a record retention expert, author and attorney
and the space for a long time. How has privacy impacted what you do
for your client? It's impacted in a great many ways uh, both in terms of, of, of, of the work product that you produce and and how you think about producing network product. So if you look at the work product first, you know, one of the, one of the primary things you produce in my businesses, things like records retention schedules for folks.
And with that, he will typically produce policies and procedures and other
associated artifacts. Um, the philosophy that necessarily you approach it with has changed dramatically with the increasing advent of privacy laws because you can no longer be conservative. You know, it used to be very much the case that when you are developing retention schedule,
a retention period that was
conservative in the sense of being quite long, was perfectly acceptable to many people. And in many instances because absent some compelling legal downside, like expensive discovery, which which was a concern, uh basically it was a no harm, no foul kind of situation. As long as you are prepared to absorb the administrative burden of keeping the records for for some additional period of time
uh that you cannot do that any longer, right? Uh These days one you often have a an explicit legal requirement that says you can't keep a record longer than X years, whatever that might be, that's increasingly the case in europe and and much of the rest of the world. Uh and and even when there is no such explicit requirement,
you have an obligation to do an analysis and reduce the retention period to the retention period.
It's as short as is compatible with reasonable business need in any of the legal requirements, which means you have to think those things through uh much more carefully. You have to really do an analysis of what legal requirements really truly do apply to a
to a to a record or a record series. Uh And and then you have to do the homework to consider. You know, what is a real period of business utility that isn't just a C. Y. A
kind of period, What's a real period of business utility. And that inevitably means that you have to one, you have to think this is a very carefully, which typically means producing retention periods. And number two, you have to document that and number three,
uh you have to be satisfied that that's gonna work for everybody. You know, there's a certain amount of reading the tea leaves
and deciding whether regulators are going to be satisfied with with the end result of your analysis. Right. And so that creates a situation where you can't, you can't um,
you can't shortcut the analysis on, on on what you're doing. You're obligated to think hard about it and not just pick a nice long number because, you know, that's at least as long as as necessary. Right? That won't work anymore. In many cases, you have to look at it very rigorously. And particularly when you're dealing with a european client,
you have to deal with it very rigorously to make sure that you're satisfied
that your reasoning is sound, that you've taken all the appropriate factors into account when you've done that. So that's what the work product looks like. Uh and and and that flows directly back to to to the the the
Thinking that goes into that work product, right? Because you really have to take a different approach and and with your client and with your own analysis and look very, very hard at the reasons that you're assigning for doing things. Again, you know, there's a tendency to default to
an easy, cheap analysis because people don't like to do the kind of hard thinking you need,
but but you have to you just really have to, because at the end of the day, you're gonna have to justify this to a regulator in a potentially adversarial situation. And not only that, but you have to balance this because in many cases, most cases, in the case of my client base,
you're having to do this sort of thing in a multi jurisdictional environment, typically a multinational environment, but increasingly within the United States, what with the CCP A and some of these other privacy laws that are coming out on the state level, the United States, you having to balance requirements across multiple states. And, you know, if you're a big american company doing business in all 50 states and, and europe and the Far East, where there's a lot of privacy was,
this becomes a very uh finally, balance balancing act, because you have to really make sure that you want to understand what the requirements in these places are. And number two, you have to come up with a strategic outcome that will, that will adequately address each of them.
And then of course, there's kind of a second generation of that, because once, you know, you can't just build a retention schedule and be done with it these days, and this is a really important part of it. The fact that matter is these privacy authorities take these laws very seriously
and and it can be very expensive if you are found to be in violation of them.
So there's a whole second generation set of questions which did not use to exist
which is how do we actually go do this in a real world environment
And in the last few years I would say that that's been the biggest change in my in my work because uh it's easy enough once you get the hang of it to make the appropriate analytical adjustments in the retention schedule.
But then when you ask yourself the question, well how do I take this retention schedule with all of these
fairly granular little requirements that our privacy based. How do I apply that in a big I. T. System? You know ASAP when it's got 70 countries with the records and how do I apply it in a big environment that has uh 500 or 1000 or 5000 different systems in it. Uh there you get into some real challenges particularly with legacy systems because these legacy systems are not built to accommodate these things and and the data is typically not structured in a way that that could accommodate it even if they were. So you started getting too real
um complex technical challenges and complex negotiations with the owners of those systems. That's the biggest change and that's the one that will will continue for the foreseeable future. You know ultimately uh devising appropriate retention schedule solutions
is a relatively straightforward thing. I think a lot of people get
sometimes you get used to it. But the question of how you apply this in a big complex I. T. System that's where the ongoing challenge is going to be and that's where I see it right now.
Yeah no I totally agree with you.
Um So the course you know being running a privacy program uh and managing that program
um involves working with council like yourself to make sure that the appropriate regulations are considered. What advice can you give to help privacy managers on what to ask the council to help them keep up with changing privacy regulatory landscape?
No that's a that's a that's a that's an enormous question and an enormous challenge because it is a very fluid landscape. So if you look at the United States right now uh and and and and again it's it's a it's an ill defined landscape as well because you have you have things that call themselves privacy laws,
you have things that call themselves data security laws, uh and and you have things which call themselves other kinds of laws,
uh and they all impact privacy in one way or another. So, so just defining the landscape that Iran is an enormous challenge and we struggle to do that constantly. Uh Second of all, once you've defined the landscape, and it ends up being a pretty broad landscape, because if you think about it, uh you know, privacy is impacted by regulatory requirements as well, because if there's a, for example,
a requirement that you keep your payroll records five years uh that automatically impacts any privacy related rule, you might apply to the same payroll records, right? Because you have to keep at least five years. And so, so there's a lot of interaction with other laws and uh in order to keep up with it, you know, you really do need some specialists, whether it's a specialist such as myself, that sort of has made a business out of
of of tracking these kinds of laws, or whether you have internal specialists, or maybe privacy specialists, uh, or other kinds of specialists. You need those kinds of specialists on your team in some form or another external internal,
but you also need a broad diversity of viewpoints when you're trying to achieve some of these things. Because at the end of the day,
it's not just a legal matter, it's not just a matter of legal compliance.
It's a matter of balancing those legal requirements against actual business need. It's a matter of balancing those against technological feasibility and technological cost. Uh, it's a matter of political negotiations between you and the many stakeholders who see themselves as having a large stake in this
and you need all of those people at the table in order to achieve a consensus, because at the end of the day, I think you do need to achieve a consensus while at the same time, uh not talking the problem to death, which is a problem you commonly see right. It's pretty easy. You can convene convene a large,
unwieldy lee committee that gets nothing done, but it makes a lot of power point presentations, right? And you see that a lot of business and particularly complicated areas like this where uh people mistake having lots of meetings are actually having progress. So, so you need those experts and you need to buy in from all of the various stakeholders at the end of the day, you have to have an efficient enough process to make sure that all of your stakeholders don't get in the way of actually achieving something
because the regulators mean it. And then the one thing we've learned in the past couple of years with the G. D. P. R. Is that the regulators are very serious about enforcing compliance and they're willing to enforce it with very, very expensive and painful penalties and other kinds of sanctions. So
so you have to figure out a way to keep the process moving. That's that's that's what I would say. You have to figure out a way to to ensure that the process continues to move forward and you do make progress
Well, to wrap up, I want to have you just plug your your book one that I've read several years back now, but about how to create a retention schedule.
Oh yeah. You know, uh one of the things about a book like that
is a lot of considerations have changed because that was that was written a few years ago and privacy was not quite the hot button issue it is today, uh but you still need a retention schedule. A matter of fact, you need a retention schedule now, more than you ever needed one in your life because retention schedule is going to be one of your key compliance tools if you comply with it, right, And,
and european privacy authorities will ask to see it. Uh and so the retention schedule itself will have changed,
but the method for constructing it will have not. So that book is still actually pretty valuable because it's a recipe for building a retention schedule and if you're in the privacy business, you will need a retention schedule for sure.
For sure. Yeah,
well john, thank you very much for your time today. I appreciate your insight. I'm sure the audience does as well and look forward to seeing you uh in the near future.
It's my pleasure. Thanks for having me. Thank you.
Up Next