Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1530716
60 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | W I N T E R 2 0 2 4 California's CCPA The California Consumer Privacy Act (CCPA) similarly emphasizes the importance of data disposal: • Data Minimization Principle (Section 1798.100(c)): While not explicitly termed as such, the CCPA requires businesses to collect, use, and retain personal information only as reasonably necessary and proportionate to achieve the disclosed purposes. Businesses must dispose of data once its purpose has been fulfilled. • Right to Deletion (Section 1798.105): Consumers can request the deletion of their personal information. Businesses must comply unless specific exemptions apply, such as for legal obligations or ongoing business needs. Organizations risk fines of up to $2,500 for each unintentional violation and $7,500 for each intentional violation under the CCPA. Notably, these fines are calculated per violation, which means they can quickly escalate to substantial amounts. For instance, if an organization fails to dispose of 100,000 records properly, the fine would be the applicable dollar amount multiplied by the number of records. The USA's HIPAA In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) establishes precise requirements for the disposal of protected health information (PHI): which it was processed. Once the data is no longer needed for the purpose for which it was collected, organizations must dispose of it. Failure to dispose of unnecessary data constitutes a violation of this principle. • Right to Erasure (Article 17): Often referred to as the "Right to Be Forgotten," this provision gives individuals the right to request the disposition of their personal data. Organizations are obligated to erase such data unless legal or operational needs justify retention. The GDPR has strict penalties for non- compliance. Fines can reach up to €20 million or 4% of annual global turnover. LEGAL REQUIREMENTS FOR DATA DISPOSITION As alluded to above, data disposition is not merely a best practice but a legal obligation enshrined in many regulations. The following are some of the privacy and cybersecurity regulations requiring data disposition. The EU's GDPR The General Data Protection Regulation (GDPR) in the European Union requires companies to periodically dispose of data that they have no legal or business reason to retain: • Data Minimization Principle (Article 5(1) (c)): Organizations must limit the collection and retention of personal data to what is strictly necessary for the purpose for