In this blog, you’ll get an understanding of data retention, data protection, and the policies and strategies that can help your organization navigate these difficult questions both now and in the future. So let’s start by answering the question: “What is Data Retention?”.
Data retention is when data is used and stored for a certain period. Data retention requirements and periods will differ for every organization based on
The data retention period will be long enough for the company to get as much value as possible from the data whilst adhering to all the relevant rules.
Data retention is critical as it is the process of keeping all your business data safe, accessible, and compliant – a must nowadays.
Large companies should have a data retention policy that includes:
Having this policy in place will benefit large parts of the business. For example, the operations teams will have accurate, clean data, which helps with data analysis and means their systems only contain required and relevant data.
The policy will also include backup and retention elements which are reassuring to various teams due to the ever-increasing amounts of cyber-attacks and threats that occur on a daily basis. The organization can be assured that if anything did happen, then your data would be protected.
The legal team will ensure this policy is in place for the company so they can be sure they comply with the relevant regulations and retention laws. Data retention is an integral part of the eDiscovery process. It means you have the necessary business data stored in case it is needed as part of a legal case.
There are two notable laws that govern customer and employee data. In the United States, there is the California Consumer Privacy Act (CCPA) that regulates any company that conducts business in California, regardless of where the company is based.
California residents can ask businesses to disclose the personal information they hold and what they do with the information. If you collect information on anyone in California, you must notify them before or at the point of collection that you will be storing their data and what you intend to do with it.
In Europe, the General Data Protection Regulation (GDPR) law protects people in the European Union (EU) regardless of where the company is located. GDPR rules say that organizations must be able to demonstrate their compliance. This includes appointing someone within the company to ensure the regulations are adhered to. Under GDPR, you must ensure you have documentation that states what data you collect, how it is used and how it is stored.
By having an appropriate data retention policy in place, an organization is protected, to some extent, in relation to these types of liabilities:
There are other ways that a well-formed data retention policy can help your organization. In creating the policy, thought should be placed on past legal events that the company has been involved in, along with ideas about future events that might affect the company. The policy can then be adapted to help with the foreseen situations to reduce the impact and liability to the business.
We’ve already summarized what data retention is, so how does that differ from data protection?
The ICO defines data protection as “the fair and proper use of information about people” essentially, it covers how companies use the information they have stored.
So, while data retention is typically about storing the data and ensuring that it is done lawfully, data protection goes into more detail about how the data that is stored is being used by companies.
In the UK, the data that companies have is governed by the Data Protection Act (DPA). This states that companies must use the data they have in a lawful way, use it for a specified purpose and only when necessary, ensure they have accurate up-to-date data, and don’t keep the data for longer than is necessary.
This is where data retention comes into play, as your data retention policy will cover aspects from above, such as why you need to keep the data and how long you will keep it.
Not all data stored by a company will be of equal value. Race, ethnicity, religion, payment details, and healthcare records are all classed as sensitive data. The DPA specifies that sensitive data should be handled differently as there is more legal protection for this data.
Even between these types of sensitive data, there would be different consequences should a breach occur. For example, unauthorized access to employment contracts would be a breach as it will contain sensitive information about employees. Still, the implications wouldn’t be the same as if someone had unauthorized access to employee bank details. Both contain sensitive data, but having access to bank details is much worse and has bigger implications for employees.
Sometimes personal data and sensitive data are thought to be the same, but this is not the case. Personal data includes name, email, date of birth, etc., and while you may not want everyone having access to this data, it is not classed as sensitive data.
When you are putting a data retention policy in place, you need to consider out of the data that you store what is considered sensitive. How are you protecting this data? How will you ensure that no unauthorized people have access to this data? Once you no longer need to retain the sensitive data, you need to have steps in place to ensure that the data is fully deleted from all systems and is done so to be compliant with laws such as GDPR.
There are several things to consider when creating a data retention management policy:
You should begin by thinking of all the departments that will be affected by the policy. You will need to build a team combining at least one person from all these departments so you can collaboratively create the policy, ensuring each department has its input and understands the policy.
You will then need to think of all the data you have in your organization and order it by importance. For example, all your email data might be the most important if that is the main way of communicating internally and externally.
Depending on where your business operates, you will also need to consider the regulations that need to be adhered to and how that affects the data you can store, as this may differ based on location.
The policy must clearly state the different types of data being stored, how long each type will be stored and what will happen to the data at the end of the retention policy. Will the data be permanently deleted, or will it be archived?
The policy will also need to include who oversees the policy and who will ensure any data that is deleted is done in a way that adheres to the policy and that data is handled correctly at all times.
An important thing to note is that the policy will need to be updated as regulations and laws change. Maybe some key people who oversee the policy leave the company or change jobs, which will also mean that the policy should be updated. Once the policy is written and finalized (for the time being), it will need to be communicated and shared with the company to ensure everyone understands it and complies.
Here are 9 data retention strategies to protect sensitive data:
In this article, we’ve seen that data retention and data protection, while related, are different things that a large organization must carefully navigate. Protecting data is crucial to help prevent legal issues. Not all data can be treated equally. Strategies and plans have to be developed by your organization to handle each type of data appropriately.
At Cloudficient, we treat data security, protection, and records retention very seriously, and your organization should too.
With unmatched next generation migration technology, Cloudficient is revolutionizing the way businesses retire legacy systems and transform their organization into the cloud. Our business constantly remains focused on client needs and creating product offerings that match them. We provide affordable services that are scalable, fast, and seamless.
If you would like to learn more about how to bring Cloudficiency to your migration project, visit our website, or contact us.