How to Build a Strong and Effective Data Retention Policy

data retention policy

An enterprise data management strategy isn't complete unless it includes an effective data retention policy.

A data retention policy (DRP) is simple, yet often disarmingly so. In essence, a DRP is a system of rules for holding, storing, and deleting the information an organization generates and handles. What is far from simple is building a data retention policy that's comprehensive, manageable, and compatible with current and evolving legal, industry, and government demands.

DRP policies not only reduce an organization's risk of running afoul of mandated requirements, but they can also add enormous value. Data governance reduces the costs associated with compliance and investigation, as well as potential downstream litigation, explains Andy Gandhi, a managing director at corporate investigation and risk consulting firm Kroll. “It also reduces internal costs associated with hardware for storing unnecessary data on servers … as well as staff to manage the data and servers,” added Gandhi, who's also the global leader of Kroll’s data insights and forensics practice.

A DRP is also fundamental for knowledge development, says Pedro Ferreira, an associate professor of information systems at Carnegie Mellon University's Heinz College of Information Systems and Public Policy. “A good DRP will store all data collected in ways that can be used in the future,” he notes.

When legal, regulatory, or security issues arise, it's too late to begin thinking about getting the organization’s data in order, warns Scott Read, risk and financial advisory information governance leader at IT and business consulting firm Deloitte. “The digital landfill that most organizations are sitting on, be it in on-prem data centers or scattered across the cloud, is a ticking time bomb of cost and risk.”

Andy-Gandhi-Kroll.jpg

Andy Gandhi, Kroll

Read recommends that to limit an enterprise's exposure to adverse events, data should be actively managed and remediated in conjunction with a defensible, business-as-usual process that's driven by a data retention policy. Additionally, to operate smoothly and orderly, organizations need to learn how to efficiently create, use, and dispose of obsolete records. “A data retention policy and retention schedule are key tools to establish efficient business-as-usual processes,” he says.

The first step toward creating a comprehensive DRP strategy is to identify the specific business needs the retention policy must address. The next step should be reviewing the compliance regulations that are applicable to the entire organization. “Designate a team of individuals across various business practices to begin data inventorying and devising a plan to implement and maintain a data retention policy that meets your business requirements while adhering to compliance regulations,” Gandhi advises.

The enterprise's chief data officer (CDO) should oversee the DRP's design and implementation, Ferreira recommends. “However, everyone who deals with the data must be aware of the mechanisms implemented . so that they can behave in ways that facilitate the implementation of the DRP,” he adds. “Implementing a robust DRP may be a top-down decision, but it requires buy-in from all levels of the organization.”

Stakeholders from records, legal, IT, security, privacy, and other relevant posts and departments all need a chance to weigh in on an enterprise's data retention policy, Read says. “Additionally, external legal counsel may also be involved in reviewing recommendations on suggested time periods.”

Scott-Read--Deloitte.jpg

Scott Read, Deloitte

When developing or updating a data retention policy, keep in mind that regulatory requirements have changed dramatically over the past few years, and will likely continue to do so for the foreseeable future. Technology advancements also create fresh challenges. “New systems have emerged, and others are being decommissioned, changing the data landscape dramatically,” Read says. Policies and procedures need to include provisions for regular updates in order to remain relevant.

The types of data to be included in the policy depends on the specific areas a corporation needs to comply with. “For example, a global company may need to adhere to GDPR , so there’s a geographic dimension to privacy compliance,” says Goutham Belliappa, vice president of data and AI engineering at business and technology advisory firm Capgemini Americas. “The type of industry that the organization is involved in may also determine certain retention and compliance requirements, such as HIPAA or PCI .”

The biggest mistake organizations make when building a data retention policy is to look at the project from an inside-out perspective, or with just a gut feeling, Belliappa observes. “Look at the laws, rules, and regulations that must be complied with,” he says. “Create a policy that balances all . objectives across all of those sometimes-contradictory requirements.”

There's no one-size-fits-all way to building a data retention policy. “The key to effective compliance is to establish, implement, and maintain a program with clear protocols,” Gandhi states. The approach, whatever form it takes, must be flexible enough to meet business requirements and strategies while also protecting data.

To prevent a data policy from being swamped with superfluous information, pinpoint the most critical data sets and wrap the policy around them, recommends Mitch Kavalsky, senior director of security governance, risk, and compliance at data recovery services provider Sungard Availability Services. “Confidential data, including HR records and financial records, should take priority,” he advises. “If the data is important to your business, it's most likely important to regulators, and the policy should ensure that those data sets are addressed.”