Which factors should retention policies consider?

Today’s organizations rely on data to fuel their business processes. Whether it’s the healthcare, financial services, hospitality, federal government, retail, telecommunications, or education industries, there’s sensitive assets that malicious hackers can – and will – steal.

With the growing amount of data collected by various organizations and industries, it’s no wonder why creating and enforcing a robust data retention policy is necessary. However, because of the rapidly changing threat landscape and new data privacy laws and regulations, it can be tricky for organizations to know what data they need to retain and for how long.

Let’s take a look at some data retention best practices and how following them can help your organization establish and enforce a more compliant and useful data retention policy suitable for your organization’s needs.

What is a Data Retention Policy?

A data retention policy is documentation that your organization has created to stipulate when data no longer serves its purpose and should be deleted, or if the data retention period has been met. Implementing a data retention policy begins by knowing what kinds of data your organization holds and then classifying that data.

Data Retention Policies are critical to ensuring all local and federal regulations and retention schedules are being met. This includes retaining data and records for the specified period of time, and also prompt deleting or destroying records once the retention policy is up.

What are Best Practices for a Data Retention and Purging Policy?

1: Identify and classify the data your organization holds

Implementing a robust data retention policy begins by knowing what kinds of data your organization holds and then classifying that data. For healthcare companies, this could be PHI such as patient names, dates of birth, Social Security numbers, medical data, and histories, or prescription information. For financial services organizations, this could be CHD, PINs, credit scores, payment history or loan information.

Classifying data is a best practice for data retention because not all data requires the same retention.  Recognizing this, many frameworks and legal regulations have specific requirements that encourage organizations to classify data. For example, the 2017 SOC 2 Trust Services Criteria requires that service organizations who include the confidentiality category in their audit demonstrate that they identify and maintain confidential information to meet the entity’s objectives related to confidentiality.

For GDPR compliance, organizations that handle the personal data of EU data subjects must classify the types of data they collect in order to comply with the law. Additionally, GDPR categories certain data – race, ethnic origin, political opinions, biometric data, and health data – as “special” and therefore subject to additional protection.  This not only means that organizations need to know what types of data they hold, but they also need to be able to label that data such as public, proprietary, or confidential.

Within the last few years, there’s been a renewed focus placed on data privacy, leading to an increase in new, complex data privacy laws and regulations across the globe that generally include data retention standards. In addition to the mix of regulatory frameworks organizations are already tasked with complying with, organizations may also have contractual and business needs that dictate data retention schedules.

For instance, if an organization has to comply with the data retention standards for GDPR and the PCI DSS, how do they know which data retention requirement to follow if there is a conflict or difference between the two requirements?

This is why when following best practices for data retention, organizations should consult with either internal or external regulatory compliance specialists to determine which legal requirements for data retention apply to their organization.

Which factors should retention policies consider?

It’s simple to understand why Jatheon is the archiving solution of choice for enterprises across many industries, with strong search capabilities, role-based permissions and user authentication, a rich ediscovery and litigation feature set.

Learn more about Jatheon’s capabilities by requesting a free demo or speaking with one of our archiving experts now.

What factors should be considered for retention period?

Retention periods vary with different types of information, based on content and a variety of other factors, including internal organizational need, regulatory requirements for inspection or audit, legal statutes of limitation, involvement in litigation, and taxation and financial reporting needs, as well as other ...

What is the retention policy?

What is a retention policy. A retention policy (also called a 'schedule') is a key part of the lifecycle of a record. It describes how long a business needs to keep a piece of information (record), where it's stored and how to dispose of the record when its time.

What is the purpose of a retention policy?

A data retention policy defines why and how you store data, for how long, and then how you dispose of it. Data retention policies play a pivotal role in data management, enabling regulatory compliance, legal defenses, and disaster recovery. They can also help keep mission-critical data at employees' fingertips.

What is the most common backup retention policy?

A solid backup retention policy may use the reliable 3-2-1 backup method. This commonly used rule states that organizations should create three copies of the data, the copies are stored on two different types of storage media and one copy of the data is sent off-site.