Data retention is complex, nuanced, and requires a modern approach in order to handle the growing volume, type, and sensitivity of enterprise data.
Many companies systematically over-retain data, opening them up to enormous risk. Around a third of data stores have not been touched for three years — and 75% of over-retained records include personal or sensitive data.
What is data retention?
Data retention refers to the practice of storing data for a specific period of time. This can be done for a variety of reasons, including legal compliance, business continuity, and data analytics. Proper data retention is important for organizations to ensure that they have access to the data they need to operate effectively, while also complying with any legal or regulatory requirements.
Based on the industry and country, data retention can look very different in practice. For example in the United States healthcare, data retention is governed by a variety of laws and regulations, most notably the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires healthcare organizations to retain patient records for at least six years, or longer if required by state law.
What is a data retention policy and what should it include?
A data retention policy is a set of guidelines that an organization follows for retaining and disposing of data, based on regulatory requirements and internal needs. A data retention policy should include the following to meet compliance requirements:
- Types of data to be retained: The policy should specify what types of data are to be retained, such as financial, legal, health, or personal data.
- Retention periods: The policy should outline the retention periods for each type of data, based on regulatory requirements and business needs. The retention period should be long enough to meet the business requirements and regulatory obligations but not longer than necessary to avoid any unnecessary data storage.
- Storage location: The policy should specify where the data should be stored, whether on-premises, in the cloud, or in a hybrid storage environment.
- Access controls: The policy should specify who has access to the data and the procedures for accessing it. This should include guidelines for how data is accessed, who can access it, and when access is granted.
- Data destruction: The policy should specify how data is destroyed at the end of its retention period. This should include guidelines for securely deleting the data or disposing of physical media.
- Record-keeping: The policy should outline procedures for keeping records of data retention and destruction. This includes details about who is responsible for the data, when it was created, and when it was destroyed.
What are the benefits?
Companies can avoid violations and strengthen customer trust by defining, managing, and remediating data retention policies across the business.
Organizations that implement a strong data retention program can:
- define data according to how long they should hold onto it
- distinguish critical information from redundant, obsolete, and trivial (ROT) data
- account for legally allowable exceptions to data retention requirements (such as pending lawsuits or audits)
- determine whether records should be archived or deleted
- maintain legal and IT teams to create and operationalize data retention policies
- provide a bridge between legal and IT teams so they can maintain constant communication, achieve compliance, and stay up to date with all regulations
Best practices for modifying a data retention policy
- Review the existing policy: Review the existing policy to identify areas that need to be updated, such as changes in regulatory requirements, new types of data, or changes in business processes.
- Conduct a risk assessment: Conduct a risk assessment to identify the potential risks associated with the retention of data and the impact of changes to the policy.
- Determine the appropriate retention periods: Determine the appropriate retention periods for each type of data based on regulatory requirements and business needs.
- Identify the appropriate storage location: Identify the appropriate storage location for each type of data, such as on-premises or in the cloud.
- Develop data destruction procedures: Develop procedures for securely destroying data at the end of its retention period.
- Update employee training and awareness: Update employee training and awareness programs to ensure that employees are aware of the updated policy and understand their responsibilities for data retention and destruction.
- Obtain approval: Obtain approval from senior management or the board of directors to ensure that the updated policy aligns with the organization’s overall risk management and compliance strategies.
The frequency of modifying a data retention policy will depend on several factors, including changes in regulatory requirements, changes in business processes, and the level of risk associated with the data. As a general guideline, organizations should review their data retention policy at least annually to ensure that it remains up to date and effective. Additionally, organizations should conduct regular risk assessments to identify any changes in risks associated with data retention and take appropriate action as needed.
Why you need a strong data retention program
A data retention policy is a cornerstone of any data management effort. Both internal and external policies dictate rules and regulations, and it’s critical for organizations to be able to manage a comprehensive data retention program that caters to both.
Data privacy and protection regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), for example, establish specific requirements for the information organizations can retain — and what they need to delete — to protect sensitive consumer information, minimize individual privacy risk, fulfill data subject access requests, and more.
How long is a data retention period?
A “data retention period” – also referred to as a “record retention period” — involves the amount of time an organization holds onto data. There is no single answer to the question of how long this should be. Ultimately, it depends.
It depends on the type of data, the purpose for which that data was collected or created, whether the data is still considered useful, and more considerations — depending on the regulation.
While some regulations like the Health Insurance Portability and Accountability Act (HIPAA) require that information be retained for at least six years “from the date of its creation or the date when it last was in effect, whichever is later,” not all regulations specify time frames.
Maintaining regulatory compliance
The specific data retention policy requirements for each regulation will vary, but here are some general guidelines:
- General Data Protection Regulation (GDPR): GDPR requires organizations to retain personal data for no longer than necessary to fulfill the purposes for which it was collected. Organizations must have a clear retention policy in place and must be able to demonstrate that they are complying with the policy. Additionally, GDPR requires organizations to securely delete or destroy personal data when it is no longer needed.
- California Consumer Privacy Act (CCPA): CCPA requires organizations to disclose their data retention policy and the specific categories of personal information that they collect, use, and retain. Organizations must also provide consumers with the right to request deletion of their personal information and must comply with these requests within a specific time frame.
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA requires healthcare organizations to retain medical records and other protected health information (PHI) for a minimum of six years from the date of creation or the date when it was last in effect. HIPAA also requires organizations to securely dispose of PHI when it is no longer needed.
- Sarbanes-Oxley Act (SOX): SOX requires organizations to retain financial and accounting records for a minimum of seven years. SOX also requires organizations to securely dispose of these records when they are no longer needed.
- Federal Trade Commission Act (FTC): The FTC requires organizations to retain data for a reasonable period of time to fulfill the purposes for which it was collected. Organizations must also securely dispose of data when it is no longer needed.
- Gramm-Leach Bliley Act (GLBA): Under GLBA, financial institutions must have a written data retention policy that outlines the types of customer information that the institution collects, how the information is used, and how long it is retained. The policy should also describe how the institution securely disposes of the information when it is no longer needed. GLBA does not specify a specific retention period for customer information, but financial institutions must retain records for at least five years from the date that the records are created or the date when they are no longer in effect.
- The Occupational Safety and Health Administration (OSHA): Under OSHA’s recordkeeping requirements, employers must maintain records of occupational injuries and illnesses for five years and must also keep records of any employee exposure to certain hazardous substances, such as lead and asbestos, for at least 30 years. The records must include information such as the date of the injury or illness, the employee’s name and job title, the type of injury or illness, and any medical treatment that was received.
Accelerate your data retention program with BigID
BigID is a data intelligence platform for privacy, security, and governance that helps organizations better manage their data from end-to end. Using BigID, organizations can improve their data retention program in several ways:
- Identify sensitive data: BigID uses machine learning algorithms to automatically scan and classify data based on its sensitivity, context, and type— enabling organizations to appropriately handle based on retention requirements.
- Define data retention policies: BigID’s Data Retention App allows organizations to define data retention policies based on the sensitivity of the data, the applicable regulatory requirements, and the organization’s business needs. The platform automates the enforcement of these policies and alerts organizations when data has reached the end of its retention period.
- Monitor data retention compliance: BigID’s Data Retention App also provides real-time visibility into an organization’s data retention compliance status, enabling companies to quickly identify and remediate any compliance gaps.
- Automate data deletion: BigID’s Data Deletion App automates the secure destruction of data at the end of its retention period, reducing the risk of unauthorized access or data breaches.
- Conduct risk assessments: BigID’s Risk Scoring App provides a risk assessment framework that enables organizations to identify and evaluate the risks associated with data retention, helping them to develop and implement effective retention policies.
- Integrate with other tools: BigID integrates with other tools, such as data governance, data loss prevention, and e-discovery tools, to provide a comprehensive data management solution.
To automate and bolster your organization’s data retention program— schedule a 1:1 demo with BigID today.