how-to-develop-an-effective-data-retention-policy
Blog Post

How to Develop An Effective Data Retention Policy

Every organization needs to develop an effective data retention policy to gain visibility and control over its information. But given the increasing complexity of today’s data systems and the constantly evolving regulatory landscape, creating a data retention policy is easier said than done. Add in the fact that data is typically scattered across multiple applications and multiple different departments, and the ability to keep tabs on an organization’s most critical information becomes even more complicated. An effective data retention policy can be the solution to this problem, and if maintained on an ongoing basis, can sustain an organization for years to come.

What does data retention mean?

Before we get into how to develop an effective data retention policy, let’s first define what data retention means. In simple terms, data retention is the continued storage and management of an organization’s data. From its initial inception, all the way to its eventual archival or deletion, the lifecycle of data can look different at every organization. From regulatory compliance to operational needs, there are tons of reasons why an organization may retain or delete data, but one thing’s for sure — we’re long past the era of solely maintaining digital and hard copy documents. Which makes a good data retention policy even more of a necessity.

Today’s reality is far more complex, especially in large enterprises that routinely deal with data sets spanning hundreds of terabytes across multiple systems and apps. Not to mention, a lot of data falls outside the jurisdiction of traditional data retention programs which previously only belonged to legal and compliance teams. Thus, developing an effective data retention policy is about more than just storing data for a specific amount of time to stay out of trouble. Now, data retention policies are about creating guidelines the entire organization can follow. Since every employee is a creator of data to some capacity, they too are responsible for the handling of their data.

Why do you need a data retention policy?

A data retention policy, also known as a records retention policy, is formal documentation of the rules and processes an organization follows to:

definition-of-data-retention-policy_data-retention-policy

Data retention is often viewed as a legal and compliance challenge, but as we’ve discussed, it’s much more than that. A robust data retention policy can add value to the entire business. Enterprise data is, after all, the fuel that drives most of today’s business decisions, and it’s often the most valuable asset an organization has.

An effective data retention policy can also help organizations overcome inefficiencies and reduce high costs. It can also reduce the productivity cost of having to navigate vast data sets spanning a multitude of cloud-hosted apps. In other words, purging unnecessary data is crucial to becoming a lean, agile organization, and a smart data retention policy can help ensure that.

How are data retention standards changing?

The rule of thumb in most data retention policies is to not retain data for longer than necessary. But putting this into practice can be extremely challenging. There is no universal rule stating how long you should retain data for, instead, it depends on a multitude of internal business motives and legal obligations. In addition to these, there are many external factors making modern data retention more complex. Here are few of them:

1. Increasingly complex IT environments

The advancement and diversification of enterprise technology has been so rapid that a lot of organizations have struggled to keep pace. Most organizations now use hundreds of apps spanning a blend of cloud-hosted and on-premise systems and numerous mobile devices that make up an increasingly complex Bring Your Own Device (BYOD) climate. Add the rising prevalence of IoT devices, some of which collect and store regulated data, and you’re faced with an environment that becomes wholly ungovernable through manual means alone. 

Maintaining visibility into such disparate infrastructures is perhaps the biggest challenge that comes with creating an effective data retention policy. As larger companies inch closer to the petabyte-scale of data storage, organizations that don’t consider this challenge acquire greater risk.

enterprise-data-explosion_data-retention-policy

2. Rapidly evolving regulatory landscapes

Another aspect of developing an effective data retention policy is accounting for changes in the regulatory landscape, and these days it’s constantly evolving. A long-standing principle in data privacy laws is that organizations shouldn’t hold on to personal data or PII any longer than they need to. However, laws vary greatly by country, sector, and data type. For example, organizations that comply with HIPAA are required to retain certain records for at least six years, whereas newer regulations, such as GDPR and CCPA, don’t specify precise data retention periods. 

There are also variances in laws regarding storage localization, breach notification/incident management, data subject rights, and more. Organizations doing business across state or even global lines have to keep this in mind when creating a data retention policy, and adjust it to fit ongoing updates. Below is a glimpse of complexities to consider on a global privacy scale:

global-privacy-landscape_data-retention-policy

3. Rising risk of cyberthreats and data loss

Regardless of the type of regulation, they all feed into one overarching theme – the protection of valuable information. Given the constant threat of cyberattacks we face today such as ransomware, sophisticated phishing, and internal or third-party data breaches, being able to classify, protect, and control sensitive information is paramount. A good data retention policy ensures that no stone is left unturned in this arena. It isn’t possible to protect data you don’t even know you have, so creating a robust data retention policy forces you to take a hard look at where your data lives from all angles. Aligning your policy with your wider information governance and security frameworks can reduce these risks even further.

Three simple steps to start creating your data retention policy

Developing an effective data retention policy requires a thorough understanding of the data you have, what it’s used for, and what each stage of its life cycle should look like. By following these simple steps, you’ll be well on your way to creating a data retention policy that’s smart, compliant, and useful.

1. Locate and classify your data

The first step in developing a data retention policy is determining where your data assets live. Like we said earlier, what you don’t know can hurt you, so identifying data in every corner of your organization is key. Data mapping is a great method to kick off this phase. Even still, you’ll need to bring together multiple key stakeholders and outside experts to figure out where data is stored, why you need it, and the level of risk it poses to your organization. Although this step in the process is time-consuming, it will serve as the foundation for a cohesive, centrally managed data environment that’s much easier to govern long-term.

2. Know which regulatory requirements apply

How you classify, protect, and retain data, is largely dependent on the regulatory requirements that apply to your organization. When outlining your data retention policy, this is where you should start. Make an exhaustive list of the regulations that apply to your organization, bearing in mind retention nuances on federal and state levels for US regulations, and regional levels for global regulations. Once you have your list, you’ll be able to parse out the data that is subject to regulation, and therefore the most urgent to tend to. Not only will this help you prioritize which data governance processes you need to work on first, but it can also be the impetus you need to gather key stakeholders together to form a strong data retention policy.

3. Consider the full data life-cycle

Once you know what you’re required by law to delete or retain, it’s much easier to work through the rest. Some data might be retained for years, while other data is only useful for a matter of days or weeks, but there’s rarely any reason to keep data indefinitely. And when the time does come for data to be deleted, it needs to be done securely. For these reasons, it’s important to consider the full data lifecycle. Here’s a look at each stage and what to consider in your data retention policy. Bear in mind these stages may look slightly different at every organization depending on your data governance policies.

data-life-cycle_data-retention-policy

Creation: Data is typically created in three ways: acquisition, or acquiring existing data that was produced outside the organization, entry, or manual entry of new data by an internal employee, and capture, or capturing data that is generated by devices in the organization. Once data is created or captured, it can come in many formats and types. It’s important to classify those types to assess what laws they may fall under which in turn, informs your data retention policy.

Storage: Once data is created or captured, it needs to be properly stored and protected. Beyond making sure the systems you use have robust security certifications, it’s a good idea to implement a backup and recovery process. This will ensure your data can be preserved in light of any misuse or deletion.

Usage: Once data is stored, it can be used to fuel the organization’s activities. Whether data is viewed, modified, saved, or shared with others, it’s a good idea to maintain an audit trail of changes that are made to your most critical information. Identifying the types of data and systems that require audit trails is another area you’ll want to include in your data retention policy.

Archival: When data is archived, it’s stored in a safe place where no usage occurs. Organizations typically archive data  when they don’t foresee any current use, but know it can be restored if it’s needed  for legal or compliance reasons later on. It’s helpful to have an archiving playbook that outlines what types of data should be archived and your process for doing so.

Disposal/Deletion: Your data retention policy should include erasure procedures that ensure the data can never be recovered by an unauthorized person or third party down the line. Doing so will preserve the integrity of the data even after its life cycle has ended.

We hope these guidelines help lay the foundation for an effective data retention policy of your own. As systems get more complex and your dataset grows, these policies will need to be adjusted to fit each organization’s evolving needs. Although no organization works the same, when retention policies are done thoughtfully, they can help drive successful people and procedures.

Curious how Onna can give you more visibility and control over your most critical information? Learn more about Onna Compliance or reach out to us here.