In this blog, you’ll get an understanding of data retention, data protection, and the policies and strategies that can help your organization navigate these difficult questions both now and in the future. So let’s start by answering the question: “What is Data Retention?”.
What is Data Retention?
Data retention is when data is used and stored for a certain period. Data retention requirements and periods will differ for every organization based on
- what data is being stored,
- the applicable legislations
- the business wants, needs, and requirements
The data retention period will be long enough for the company to get as much value as possible from the data whilst adhering to all the relevant rules.
Why Is Data Retention Important?
Data retention is critical as it is the process of keeping all your business data safe, accessible, and compliant – a must nowadays.
Large companies should have a data retention policy that includes:
- what data you are storing,
- why you need to keep it,
- how long you will be keeping it for
- and when the time comes, how you compliantly delete the data.
Having this policy in place will benefit large parts of the business. For example, the operations teams will have accurate, clean data, which helps with data analysis and means their systems only contain required and relevant data.
The policy will also include backup and retention elements which are reassuring to various teams due to the ever-increasing amounts of cyber-attacks and threats that occur on a daily basis. The organization can be assured that if anything did happen, then your data would be protected.
The legal team will ensure this policy is in place for the company so they can be sure they comply with the relevant regulations and retention laws. Data retention is an integral part of the eDiscovery process. It means you have the necessary business data stored in case it is needed as part of a legal case.
What Are ‘Applicable’ Laws?
There are two notable laws that govern customer and employee data. In the United States, there is the California Consumer Privacy Act (CCPA) that regulates any company that conducts business in California, regardless of where the company is based.
California residents can ask businesses to disclose the personal information they hold and what they do with the information. If you collect information on anyone in California, you must notify them before or at the point of collection that you will be storing their data and what you intend to do with it.
In Europe, the General Data Protection Regulation (GDPR) law protects people in the European Union (EU) regardless of where the company is located. GDPR rules say that organizations must be able to demonstrate their compliance. This includes appointing someone within the company to ensure the regulations are adhered to. Under GDPR, you must ensure you have documentation that states what data you collect, how it is used,and how it is stored.
How Can a Data Retention Policy Help to Reduce Liabilities?
By having an appropriate data retention policy in place, an organization is protected, to some extent, in relation to these types of liabilities:
- Ease of producing relevant data to support legal proceedings
- Safety in the knowledge that data that is past the required (legal) expiry period has been appropriately deleted (and therefore can’t be used in legal proceedings against the business/organization)
- Classification and identification of data storage silos make it easier to find important date-time-based information
- Elimination of storage formats like PST files limits the risk and liability of critical business information leaking to external parties
There are other ways that a well-formed data retention policy can help your organization. In creating the policy, thought should be placed on past legal events that the company has been involved in, along with ideas about future events that might affect the company. The policy can then be adapted to help with the foreseen situations to reduce the impact and liability to the business.
What Is the Difference Between Data Protection and Data Retention?
We’ve already summarized what data retention is, so how does that differ from data protection?
The ICO defines data protection as “the fair and proper use of information about people” essentially, it covers how companies use the information they have stored.
So, while data retention is typically about storing the data and ensuring that it is done lawfully, data protection goes into more detail about how the data that is stored is being used by companies.
In the UK, the data that companies have is governed by the Data Protection Act (DPA). This states that companies must use the data they have in a lawful way, use it for a specified purpose and only when necessary, ensure they have accurate up-to-date data, and don’t keep the data for longer than is necessary.
This is where data retention comes into play, as your data retention policy will cover aspects from above, such as why you need to keep the data and how long you will keep it.
What Data is Considered Sensitive?
Not all data stored by a company will be of equal value. Race, ethnicity, religion, payment details, and healthcare records are all classed as sensitive data. The DPA specifies that sensitive data should be handled differently as there is more legal protection for this data.
Even between these types of sensitive data, there would be different consequences should a breach occur. For example, unauthorized access to employment contracts would be a breach as it will contain sensitive information about employees. Still, the implications wouldn’t be the same as if someone had unauthorized access to employee bank details. Both contain sensitive data, but having access to bank details is much worse and has bigger implications for employees.
Sometimes personal data and sensitive data are thought to be the same, but this is not the case. Personal data includes name, email, date of birth, etc., and while you may not want everyone having access to this data, it is not classed as sensitive data.
When you are putting a data retention policy in place, you need to consider out of the data that you store what is considered sensitive. How are you protecting this data? How will you ensure that no unauthorized people have access to this data? Once you no longer need to retain the sensitive data, you need to have steps in place to ensure that the data is fully deleted from all systems and is done so to be compliant with laws such as GDPR.
What Should Be in a Data Retention Policy?
There are several things to consider when creating a data retention management policy:
You should begin by thinking of all the departments that will be affected by the policy. You will need to build a team combining at least one person from all these departments so you can collaboratively create the policy, ensuring each department has its input and understands the policy.
You will then need to think of all the data you have in your organization and order it by importance. For example, all your email data might be the most important if that is the main way of communicating internally and externally.
Depending on where your business operates, you will also need to consider the regulations that need to be adhered to and how that affects the data you can store, as this may differ based on location.
The policy must clearly state the different types of data being stored, how long each type will be stored and what will happen to the data at the end of the retention policy. Will the data be permanently deleted, or will it be archived?
The policy will also need to include who oversees the policy and who will ensure any data that is deleted is done in a way that adheres to the policy and that data is handled correctly at all times.
An important thing to note is that the policy will need to be updated as regulations and laws change. Maybe some key people who oversee the policy leave the company or change jobs, which will also mean that the policy should be updated. Once the policy is written and finalized (for the time being), it will need to be communicated and shared with the company to ensure everyone understands it and complies.
9 Data Retention Strategies to Protect Sensitive Data
Here are 9 data retention strategies to protect sensitive data:
- Understand regulations and policies. Ensure that you fully understand all the laws you must comply with. There will be different laws and regulations that apply to different countries, often based on where the customer is and not the company. There are also different levels for the different data types you hold, such as personal versus sensitive.
- Company-wide input. When writing the policy, it is vital that all departments are involved to ensure that the policy is comprehensive and covers all departments to ensure all data is accounted for.
- Business requirements. While it is important to comply with the various regulations regarding data, it is just as important to take into account how you will actually implement the data retention policy once it is written. You may need or update systems or maybe even implement new systems, you may need to train staff. It isn’t enough just to have the policy written; you then need to follow it.
- Keep it simple. The policy shouldn’t be complicated. It needs to be straightforward, easy to understand,and use simple language. It needs to be understood by everyone within the company so they can follow and adhere to the policy.
- Different data types may need different policies. Data management can be complex. The policy isn’t a one-size-fits-all as different data types require different care and attention when handling.
- Some data may need to be kept for longer than others. Some data will need authorized access to it, and some data will be sensitive and need to be protected more than others. If the data/customer is located in different countries, they may need to be handled differently.
- Be open and honest. Tell people what information you will store about them and why. Give them options to unsubscribe or to have their data deleted.
- Consider investing in an archiving platform. Some archiving platforms allow you to create custom data retention policies and then automate the data retention process. This will likely make things easier as it will save time and effort from doing it all yourself. Some solutions can be customized to allow you to organize data according to legal requirements, may have robust search functionality, and even have built-in security features.
- Back up your data. This will protect you from a regulatory compliance perspective and minimize or eliminate the risk of data loss.
- Don’t keep data longer than needed. The best practice isn’t to be overly cautious and retain data indefinitely. By doing this, you are leaving your business open to more risk and likely implications down the line.
- By having excess data, you will not only be using up a lot of storage which could become expensive and slow down systems. It would also make you more vulnerable in the event of a data breach or security incident. But obviously deleting data is permanent, so you do need to carefully consider which data you want to archive and which can be deleted.
In this article, we’ve seen that data retention and data protection, while related, are different things that a large organization must carefully navigate. Protecting data is crucial to help prevent legal issues. Not all data can be treated equally. Strategies and plans have to be developed by your organization to handle each type of data appropriately.
At Cloudficient, we treat data security, protection, and records retention very seriously, and your organization should too.
With unmatched next generation migration technology, Cloudficient is revolutionizing the way businesses retire legacy systems and transform their organization into the cloud. Our business constantly remains focused on client needs and creating product offerings that match them. We provide affordable services that are scalable, fast, and seamless.
If you would like to learn more about how to bring Cloudficiency to your migration project, visit our website, or contact us.