Doing The Most (Strategically): Getting Privacy Readiness Right

We admire an overachiever. Really, we do. But here’s the catch: overachieving isn’t about reacting on instinct just to be first or loudly innovative. Real overachievers know that informed action beats quick reaction every time. This distinction matters, especially when you’re navigating the ever-evolving world of legislation and the record-keeping effects they have on your organization’s retention schedule.

This tension becomes even more pronounced when you consider how quickly expectations shift compared to how slowly rules are written. Culture moves at the speed of light; law crawls through molasses, catching up only after the fact. That gap is exactly what fuels today’s urgency around privacy and retention decisions.

With the steady drumbeat of commentary around privacy concerns and the promise of forthcoming privacy legislation, it’s tempting to make sweeping, preemptive changes. One strategy we hear frequently from clients is the desire to impose both minimum and maximum retention periods across all record series.

It’s a thoughtful impulse. Privacy regulations will likely include maximum retention requirements for certain records, and a handful of such requirements already exist today. But they’re far from universal. Most privacy laws rely on a familiar (and admittedly vague) standard: records should be kept “no longer than necessary.”

So how do you overachieve without overcorrecting?

Start with Data Minimization

Audit your current retention schedule. Are records being kept longer than regulations require? If so, is there a clear and defensible business reason? Where possible, align closely with existing requirements and move away from over-retention that lacks justification.

Over-retention quietly increases risk. Records kept beyond their required life expand the scope of litigation, regulatory inquiries, and breach response, especially when there is no legal, contractual, or operational need to justify their existence. If the only justification is “just in case,” that’s not defensible. Thoughtful minimization is less like demolition and more like pruning. You remove what no longer serves the organization so the program remains healthy and supportable.

Next, Tighten up Disposition Procedures

Do they exist? Are they practical for how your organization operates? And perhaps most importantly: are they enforced?

Many retention schedules lack the workflows, ownership, or system triggers needed for organizations to properly act when a record has met its retention requirements. When disposition depends on manual effort or unclear accountability, execution becomes uneven. A retention schedule without execution is just well-intentioned documentation.

Finally, Plan for Change

Regulations will evolve. The question is whether your program can evolve with them.

Make sure you have a clear, repeatable process for monitoring legal updates and incorporating changes as they arise. That process should not rely on reactive overhauls every time a new regulation is proposed or passed. Instead, adaptability should be built into the program itself. You may not know exactly what the next privacy law will require, but you can ensure your retention framework is flexible enough to absorb change without causing chaos.

Overachieving Without Overcorrecting

We really do admire overachievers… as long as they’re strategic. In records and information management, overachievement is not about racing ahead of the law or locking in rules that do not yet exist. It is about building programs grounded in what is known, defensible, and executable today.

The most resilient retention programs are not the most aggressive. They are the most intentional. They minimize data with purpose. They enforce disposition with discipline, and they’re designed to adapt as regulations evolve.

Action for the sake of action does not make you an overachiever; it makes you an agent of chaos. The extra moment spent gathering the right information and designing for flexibility is what keeps your program adaptable, defensible, and future-ready, instead of balanced precariously on the cutting edge of promised rules written in Jell-O.

To dive deeper into data minimization and disposition strategies, watch the webinar recording of “School’s in Session: Lessons in Data Minimization and Risk Reduction.” In just 40 minutes, you’ll learn about:

1. Collaboration for Information Governance: Engaging stakeholders and meeting them where they are is vital in information governance initiatives. Establishing shared terminology with stakeholders fosters clarity and alignment across teams.
2. Overcoming Resistance to Data Destruction: Shifting organizational culture from a “keep everything” mentality to strategic data minimization requires careful socialization with leadership and clear policies, like retention schedules, to address fears of deletion.
3. The Power of Language in Securing Buy-In: Reframing traditional terms like “records retention” and “destruction” as “data minimization” resonates better with teams and helps gain organizational support for cleanup initiatives.
4. ROT Cleanup Is a Continuous Process: Addressing redundant, obsolete, and trivial (ROT) data isn’t a one-time task—it requires ongoing effort, much like organizing personal spaces. Success lies in aligning cleanup efforts with broader goals like information security and governance.

Watch the webinar recording with RJ Mauro of Valero and Steve Colombus of USAA today!