Reducing Privacy Fine Exposure on the Cheap

(With the Help of ChatGPT)

In this article, the author provides three versions of a data retention policy that appears compliant with GDPR or NIST.

After taking NACVA’s cybersecurity course, a student reached out to me asking for a Data Retention Policy template that would be compliant with the statutes and frameworks discussed in the course, such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework or the EU’s General Data Protection Regulation (GDPR). I thought this may be a good question for large language models because the subject matter is old enough that there is a sufficiently large amount of material available for an AI model’s training.[1] 

I did not train a model on either GDPR or NIST (although I have now tasked a colleague with doing just that); I relied only on the publicly available information that may have already been ingested by the free version of ChatGPT. Part of this was a test to see what ChatGPT could answer about specific regulations. Many other models exist that are open source, free, both paid, or proprietary in-house (depending on your firm). The results are arguably superior to some work products I have seen in the past and include areas to be completed by the user that meet requirements beyond the inclusion of specific language, such as the requirement to identify a legal compliance officer.

In this article, I provide three versions of a data retention policy that appears compliant with GDPR or NIST.[2] Appendix 1 is the output for the prompt, “Write a data retention policy compliant with GDPR for a legal services firm.”

I have found that ChatGPT adjusts the tone of output well with few additional instructions, so Appendix 2 is the initial output for the writing prompt, “Write a data retention policy compliant with NIST for a legal services firm.” I then responded to that output with, “Make this more friendly,” but I found the output too friendly and responded to it with, “Include very firm language addressing failures.” Version two contains the result of friendly language but firm failure content.

Appendix 1: GDPR Output

Data Retention Policy for [Legal Services Firm]

1. Purpose

This Data Retention Policy outlines the practices and procedures for retaining and securely disposing of personal data collected, processed, and stored by [Legal Services Firm] in compliance with the GDPR. The policy aims to ensure that personal data is retained only for as long as necessary to fulfill its purpose, and that it is securely disposed of when no longer required.

2. Scope

This policy applies to all personal data processed by [Legal Services Firm] during its legal services operations, including but not limited to data of clients, employees, contractors, and other third parties.

3. Legal Basis for Retention

In compliance with GDPR, personal data will be retained based on the following principles:

• Lawful basis for processing [Article 6 GDPR].
• Purpose Limitation: Data will only be retained for as long as necessary to fulfill the specific purposes for which it was collected [Article 5(1)(b) GDPR].
• Data Minimization: Only the data necessary to fulfill those purposes will be retained [Article 5(1)(c) GDPR].

4. Retention Periods

The retention period for personal data will vary depending on the type of data and the nature of the legal service. The following guidelines apply:

• Client Files: Personal data contained within client files (including documents, communications, and other legal records) will be retained for a minimum of six years after the closure of the case, in line with statutory requirements for legal documents and the limitation period for claims.
• Employee Data: Personal data of employees (including payroll, contract details, performance records, and other employment-related data) will be retained for seven years after the termination of employment, to comply with tax and labor law obligations.
• Contractor and Third-Party Data: Personal data of contractors and third parties will be retained for a period of six years from the conclusion of the contract or the last interaction, in line with applicable contract law and the statute of limitations.
• Marketing Data: Data collected for marketing purposes will be retained for no longer than three years after the last communication, unless the individual has opted into further communications.
• Financial Records: Financial data such as invoices, payments, and accounting records will be retained for seven years in compliance with tax and financial reporting regulations.

5. Secure Disposal of Data

Once the retention period for personal data has expired, the data will be securely disposed of in a manner that prevents unauthorized access, use, or destruction. The following methods will be used:

• Physical Documents: Shredding or other secure destruction methods.
• Electronic Data: Deletion using methods that ensure the data cannot be reconstructed or retrieved, such as degaussing or securely wiping storage devices.

6. Review of Data Retention

Data retention schedules will be reviewed periodically to ensure compliance with legal requirements and to ensure that data is not retained longer than necessary. Retention periods will be updated in accordance with changes in legislation or operational requirements.

7. Data Subject Rights

In compliance with GDPR, data subjects have the right to:

• Request access to their personal data
• Request the correction or erasure of their personal data (subject to the applicable retention periods)
• Request the restriction of processing or object to the processing of their personal data

Requests for data access, rectification, or erasure can be made to [Contact Information for Data Protection Officer].

8. Responsibility for Implementation

The [Data Protection Officer/Legal Compliance Officer] is responsible for ensuring that this Data Retention Policy is adhered to and for overseeing the secure disposal of data. All staff members are required to comply with the retention and disposal procedures outlined in this policy.

9. Policy Review and Updates

This policy will be reviewed annually and updated as necessary to reflect changes in data protection law or the firm’s operational needs.

Contact Information

For any questions or concerns regarding the data retention policy or to make a data subject request, please contact [Data Protection Officer or relevant contact person] at [Contact Details].

This policy provides a framework to ensure compliance with the GDPR’s data retention requirements while supporting the operational needs of the legal services firm.

Appendix 2: NIST Output

Data Retention Policy for [Firm Name]

Effective Date: [Date]

1. Purpose

This Data Retention Policy outlines the procedures for retaining, managing, and disposing of data to ensure compliance with the NIST Cybersecurity Framework, applicable legal requirements, and best practices for safeguarding sensitive and personal information.

2. Scope

This policy applies to all employees, contractors, and third parties handling any form of data within [Firm Name]. It governs all data storage, retention, and deletion practices related to firm operations, including but not limited to client records, communications, case files, financial records, and administrative data.

3. Data Classification

Data handled by [Firm Name] shall be classified into the following categories based on its sensitivity and legal requirements for retention:

• Confidential/Legal Records: Includes client case files, communications, contracts, and other materials that are subject to attorney-client privilege or other legal protections.
• Financial Records: Includes billing, invoices, tax records, and payment data.
• Operational Data: Includes e-mails, internal communications, documents related to firm operations, HR records, and other administrative records.
• Publicly Accessible Data: Includes information intended for public distribution, such as marketing materials, press releases, and publicly accessible case information.

4. Retention Periods

The following retention periods are established based on legal, regulatory, and best practice guidelines:

• Confidential/Legal Records: Retain for a minimum of seven years after the conclusion of a case or business relationship, unless otherwise required by specific regulations or legal mandates. In some cases, retention may extend indefinitely if the records are subject to ongoing legal obligations.
• Financial Records: Retain for seven years to comply with IRS regulations and other financial reporting requirements.
• Operational Data: Retain for three years after the termination of employment, contract, or project, unless a longer retention period is legally required.
• Publicly Accessible Data: Retain for a maximum of three years unless an ongoing marketing or business strategy necessitates continued availability.

5. Data Storage and Security

All retained data must be securely stored according to the firm’s cybersecurity protocols, following NIST standards for data protection. Data should be encrypted both at rest and in transit, with access limited to authorized personnel only. Data backups must be encrypted and stored in a secure off-site location, and backup retention periods should align with the retention schedules outlined above.

6. Data Disposal

Once data reaches its designated retention period, it should be securely destroyed or anonymized to prevent unauthorized access or recovery. The following disposal methods will be used depending on the format of the data:

• Physical Records: Shredding or incineration of paper records.
• Electronic Records: Secure deletion or overwriting of digital files to ensure they cannot be recovered.
• Cloud and Third-Party Services: Request that service providers securely delete data in accordance with NIST guidelines and any applicable service agreements.

7. Roles and Responsibilities

• Data Steward: The Data Steward is responsible for ensuring compliance with this policy, monitoring retention schedules, and ensuring proper disposal of data.
• IT Department: The IT Department is responsible for implementing technical controls, including encryption, secure access, and regular audits of data retention practices.
• Legal Department: The Legal Department must review and update retention schedules as needed to ensure compliance with legal requirements and industry best practices.
• Employees: All employees must adhere to this policy and ensure that data they create, access, or manage is retained and disposed of in accordance with its classification and retention period.

8. Data Retention and Access Audits

[Firm Name] will conduct annual audits of data retention practices, including reviewing compliance with retention schedules and data security measures. Any non-compliance will be addressed through corrective actions, and ongoing training will be provided to staff to reinforce the importance of adhering to data retention guidelines.

9. Exceptions

In certain cases, retention periods may be extended or shortened due to specific legal, contractual, or operational requirements. Exceptions must be documented and approved by the Data Steward in collaboration with the Legal Department.

10. Policy Review and Updates

This policy will be reviewed annually or as needed to ensure it remains compliant with the latest regulations, security standards, and NIST Cybersecurity Framework updates. The Legal Department will ensure that all changes are communicated to relevant staff and that any necessary training is provided.

11. Compliance

Failure to comply with this policy may result in disciplinary action, including termination of employment, as outlined in the firm’s Code of Conduct.

This policy aligns with the NIST Cybersecurity Framework’s core functions: identify, protect, detect, respond, and recover. By adhering to clear data retention schedules and security practices, [Firm Name] minimizes risks associated with data breaches, legal non-compliance, and loss of critical information.

Appendix 3: NIST Output, Friendly but Firm

Certainly! Here is a revised version of the policy with more firm language around addressing failures to comply with the data retention guidelines.

[Firm Name] Data Retention Policy

Effective Date: [Date]

1. Purpose

This Data Retention Policy is designed to ensure that we properly manage and protect data, in accordance with legal requirements, cybersecurity best practices, and the NIST Cybersecurity Framework. The policy outlines how we retain and securely dispose of data, and the consequences of failing to follow these guidelines.

2. Who This Applies To

This policy applies to all employees, contractors, and third-party vendors who handle any data within [Firm Name]. It covers all data types, including client case files, internal communications, financial records, and other operational information.

3. What Kind of Data Do We Handle?

Data is categorized according to its sensitivity and legal retention requirements:

• Confidential/Legal Records: Client case files, attorney-client privileged materials, contracts, and other sensitive legal documents.
• Financial Records: Billing information, invoices, tax records, and payment-related documents.
• Operational Data: Internal communications, HR files, and records related to firm operations.
• Publicly Accessible Data: Marketing materials, press releases, and case details that are publicly shared.

4. How Long Do We Keep Data?

Data will only be retained for the duration required by law, regulation, or business need. Here is the retention schedule:

• Confidential/Legal Records: At least seven years following the conclusion of a case or business relationship, or longer if required by law.
• Financial Records: Seven years, in compliance with IRS and financial reporting regulations.
• Operational Data: Generally retained for three years after a project or employment ends, unless legal or business needs dictate otherwise.
• Publicly Accessible Data: Up to three years unless it is still useful for business or marketing purposes.

5. How Do We Store and Protect Data?

Data must be stored securely, following best practices for encryption and access control. Only authorized personnel will have access to sensitive data, and all backups will be encrypted and securely stored off-site.

6. How Do We Dispose of Data?

Once data reaches the end of its retention period, it must be securely destroyed to prevent unauthorized access. The disposal methods are as follows:

• Physical Records: Shredding or incineration of paper files.
• Electronic Records: Secure deletion or overwriting of digital data to ensure it cannot be recovered.
• Cloud/Third-Party Providers: We will require that third-party services delete data according to this policy and our contractual obligations.

7. Roles and Responsibilities

• Data Steward: Responsible for ensuring compliance with this policy, including monitoring data retention and disposal activities.
• IT Department: Ensures that all data is stored securely and that appropriate cybersecurity measures are in place.
• Legal Department: Responsible for reviewing legal retention requirements and ensuring we are compliant with regulations.
• All Employees: Each employee is responsible for understanding and following this policy. Ignorance of the policy will not be an acceptable defense in the event of a violation.

8. Audits and Monitoring

[Firm Name] will conduct regular audits of our data retention practices. These audits will review the retention schedules, security measures, and data disposal practices to ensure compliance with this policy and legal requirements. Non-compliance will be addressed immediately and may result in disciplinary action.

9. Addressing Failures to Comply

Failure to comply with this policy, whether intentional or due to negligence, will not be tolerated. The firm takes any deviation from these standards seriously. Consequences of non-compliance may include:

• Immediate corrective action, including additional training or process changes.
• Disciplinary action, up to and including termination of employment or contract.
• Legal or financial repercussions if the failure to comply results in a data breach, legal liability, or damage to the firm’s reputation.

All violations will be investigated thoroughly. If a failure to follow this policy is identified, the person responsible will be held accountable and corrective actions will be taken.

10. Exceptions

Any exception to this policy must be explicitly documented and approved by both the Data Steward and the Legal Department. Exceptions will only be granted for valid business, legal, or regulatory reasons, and all approvals will be documented for future reference.

11. Review and Updates

This policy will be reviewed annually, or sooner if needed, to ensure it remains up-to-date with changes in regulations, business needs, or best practices. Any changes will be communicated to all staff, and appropriate training will be provided to ensure compliance.

12. Compliance

Failure to comply with this policy will result in consequences, as outlined in our Code of Conduct. This includes potential legal action or financial penalties if the failure leads to breaches of confidentiality, loss of data, or regulatory violations.

By adhering to this policy, [Firm Name] aims to protect sensitive data, reduce legal risks, and maintain the highest standards of data governance. Any failure to follow this policy will be taken seriously and addressed promptly, to ensure the firm’s data practices remain secure and compliant.

[1] Each model can be trained on a wide variety of information but the free and/or open versions are generally trained on information that is several years old; newer than that and the model struggles with relevant output.

[2] In accordance with NACVA’s Advisory Brief on AI, outputs of any model should be reviewed by the specific user for accuracy and relevance prior to use and should be used to augment, not replace, professional expertise. See https://www.nacva.com/advisorybrief.

---

Dorothy Haraminac, MBA, MAFF, CFE, PI, provides financial forensics, digital forensics, and blockchain forensics under YBR Consulting Services, LLC, and teaches software engineering and digital forensics at Houston Christian University. Ms. Haraminac is one of the first court-qualified testifying experts on cryptocurrency tracing in the United States and provides pro bono assistance to victims of cryptocurrency investment scams to gather and summarize evidence needed to report to law enforcement, regulators, and other parties. If you or someone you know has been victimized in an investment scam, report it to local, state, and federal law enforcement as well as federal agencies such as the FTC, the FCC, and the IRS.

Ms. Haraminac can be contacted at (346) 400-6554 or by e-mail to admin@ybr.solutions.