by Robert Johnson, Engagement Manager – Info Governance
It was not that long ago that the Global Positioning System, or GPS, was a novelty. The system was adopted as a means to prevent getting lost on a long drive. Today, it’s everywhere. Trucks carrying inventory to stores across the country, nurses finding critical equipment inside hospitals, customers withdrawing cash from ATMs, or shoppers paying with their phones—all of these everyday actions rely on the invisible web of GPS data.
Beyond convenience, however, is a more complex story: every time a GPS-enabled system logs a location, it creates a record. These records don’t just vanish; they become part of an organization’s broader Records and Information Management (RIM) strategy. And like any other record, GPS data must be handled with care. Data must be stored, protected, and eventually disposed of in accordance with clear rules.
Privacy Rules the Road
That’s where retention schedules come in. A strong schedule doesn’t just say how long to keep a file; it identifies exactly what kind of GPS data is being collected, whether it’s raw logs, geospatial files, structured databases, or transaction records, and sets retention periods based on business needs, legal requirements, and audit obligations. Importantly, it also defines the end of the story: when and how that data will be securely deleted or anonymized so it can no longer be traced back to individuals.
Privacy sits at the heart of this process. Regulations like the GDPR in Europe and the CCPA in California make it clear that GPS data linked to an individual is private information, subject to strict rules regarding consent and use. A hospital may need to track the location of its staff during an emergency, but that doesn’t override its duty to protect personal information. A bank may monitor ATM transactions, but it must also comply with industry-specific regulations to ensure that data is secure.
The “Why” Behind Location Tracking
Organizations must also be transparent about why they are collecting GPS data. Is it for route optimization, for keeping employees safe in hazardous environments, or for something else entirely? Whatever the reason, documenting that purpose is a vital part of a sound record management policy.
Of course, simply knowing why the data is being collected isn’t enough. Strong security is essential. Regulations often dictate who can access GPS information, and organizations must support this with access logs, monitoring, and encryption to prevent unauthorized use. In fact, the logs and encryption record themselves often need to be retained for compliance reporting.
Finally, every piece of GPS data has a destination. When it reaches the end of its retention period, organizations face a choice: securely delete it to prevent reconstruction, or, if there is ongoing business value, anonymize and aggregate it so the insights remain but the identities do not.
Steering You Toward Smart Policies
The story of GPS in business isn’t just to keep us from getting lost; it’s about responsibility. As organizations continue to lean on GPS to power their operations, they must also navigate the regulatory and ethical landscape of data management. A clear, well-structured GPS data policy, backed by a strong retention schedule, ensures that convenience never comes at the cost of privacy, security, or compliance.
For additional insights on prioritizing data privacy and moving away from reactive compliance, read our whitepaper, Data Privacy for the Information Professional. The concepts it covers, such as Privacy by Design, are extremely valuable when managing and securing GPS data.