Constantine Karbaliotis, Christi Perri

It’s trite to say that one of the best de-risking exercises in privacy is to get rid of data. Yet it is also trite to say that retention is one of the areas that most companies set themselves up for failure – first by adopting a retention schedule and policy that they then do not comply with.

Historically the over-retention of data has compounded data breaches, by exposing far more information than should have been retained. DSARs, both from consumers, and now in California (given the employee exemption from CCPA is set to expire at the end of 2022), will likely expose organizational over-retention even further, with complaints and litigation increasingly likely. As importantly, it is essential to be able to articulate the retention of data is being done pursuant to legal and business requirements, so as to avoid unneeded challenges and complaints. Experience under GDPR has seen that failure to abide by retention schedules, even in the absence of a breach, has resulted in significant fines, as retention needs to be linked to valid legal and business purposes.

This session will focus on the relationship between privacy and data retention requirements and programs, and how this relates to responding to DSARs efficiently and defensibly.


Constantine Karbaliotis, Senior Privacy Advisor, Exterro
Christi Perri, Senior Manager, Office of Privacy, Toyota Motor North America


Christi Perri
Christi Perri

Sr. Manager, Office of Privacy
Toyota Motor North America

Constantine Karbaliotis

Senior Privacy Advisor