Data Retention Policy

Definition

An organization’s data retention policy is a set of rules that describe the types of data that will be retained by the entity and for how long. Retention policies also address how the data is handled at the end of the retention period when companies explore options ranging from doing nothing to destroying the data or archiving it. 

Data retention policies are adopted to achieve and maintain compliance with relevant regulatory requirements. For example, if an organization takes part in a regulated industry where data must be preserved for seven years, the company retention policy must specify and enforce the specified seven-year retention period. 

An example of a retention policy article would be “retain daily backup for seven calendar days.”

What is a data retention policy?

In addition to the above description, organizations must adhere to the international, regional and industry standards that govern areas where an enterprise has customers or does business. Besides the imperative to retain data for a specified length of time, data location has become extremely important and is now a permanent fixture in data retention policies. For example, the European Union’s General Data Protection Regulation (GDPR) rules require that EU citizens’ data be stored within the EU borders.

In addition, some industries also come with retention requirements. Companies tend to adopt data retention policies that exceed prevailing regulatory requirements. That is especially true in regulated industries such as healthcare and financial services. For example, companies that do business in the healthcare sector, one of the unique regulatory requirements is the Health Insurance Portability and Accountability Act (HIPAA), which governs healthcare data, and there are requirements around how long HIPAA documentation must be retained, while states govern medical record retention requirements.(1) Also, companies that operate in the United States must adopt Sarbanes-Oxley Act (SOX) compliant data retention policies.

An essential aspect of data retention policies is to keep the more expensive primary storage free for frequently accessed data. To that end, enterprises set and enforce policies that move data at the end of their retention period to cheaper secondary or tertiary storage. These storage tiers could be less expensive on-premises disk storage, tape or even cloud storage. The most common storage tiers for secondary and tertiary copies are cloud storage. Cloud storage also offers customers different tiers or levels of storage depending on the data retention requirements. Cloud storage could be considered hot, cold or archive to offer customers different cost structures for their data retention policies.

What should be included in a data retention policy?

As noted earlier, a retention policy helps companies manage important data per rules and regulations that govern their business and the locale where they operate.

A robust data retention policy would include:

• Purpose. A retention policy starts by identifying the purpose of adopting it. Examples may include meeting regulatory requirements or data storage management guidelines for the organization as part of their recovery point objectives.
  
  
• Users and locations. A good practice is to identify the users and the geographic regions that will be covered by the retention policy. Keeping the data close to source like in the cloud for cloud workloads, or on-premises for local workloads can speed up the recovery when the time comes.
  
  
• Scope. Next, define the scope of the retention policy and determine the laws, regulations and reference standards or documents that need to be respected.
  
  
• Requirements. Identifying requirements is the heart of any retention policy. The requirements define the duration of retaining data, safeguarding and then how to handle it at the end of the retention timeline. Rules for data destruction, handling data breaches, and regulatory requirements are also part of an acceptable retention policy.
  
  
• Audits. Companies should adopt routine audits of their data retention policies to ensure that they still are current and within the boundaries of prevailing rules and regulations, and the business recovery point objectives.

Why is a retention policy important?

Data is the core of any business, whether that is paper invoices, or today’s more common digital information, it all fuels the work of an organization, from inventory to customer records. Companies should identify and capture this critical data to keep the day-to-day business operational and, in the case of regulations, to stay compliant.

A robust retention policy protects enterprises from financial losses, civil and criminal penalties that follow customers’ data loss, and failure to follow prevailing regulations. Examples of heavy financial penalties are a common occurrence on the business news.

Gaining and keeping customers’ confidence is vital for business growth. Customers have come to expect that their data, especially personally identifiable information (PII) is protected and remains private. There is little to no tolerance left for negligence when it comes to customers’ data.

Business growth requires predictability and confidence that comes from robust data retention policies and regulatory compliance. Businesses can expand into new regions knowing that they will not be surprised by obscure or unknows regulations.

Ransomware or cyber-attacks are increasingly more common and protecting the business data from attack is critical. With a policy in place to keep data for a predefined period, it can help prevent ransomware from crippling a business. As these attacks become more advanced and remain dormant from extended periods of time, it is important to include retention guidelines for ransomware in the retention policy.

Benefits of a retention policy

Digital data and applications are the drivers of business growth. Adopting a retention policy is vital for businesses and protects against the potentially harmful impact of sloppy handling of sensitive information.

Adopting and enforcing a data protection policy helps enterprises in many ways:

• Regulatory compliance. Data retention policies look to satisfy regulatory requirements for business operations, avoid potential penalties and use data to support audits, or defend legal claims. Meeting compliance standards can also ensure customer compliance with their personal data as it provides them with reasonable assurance their information is safe and will not be kept beyond what is necessary.
  
  
• Operational efficiency. Without data retention policies, companies will find themselves wasting valuable time with data retention-related matters. Having a robust policy and document management process removes uncertainty from the process and gives everyone clear guidance about how to handle sensitive information.
  
  
• Cost savings. The policy saves companies valuable employees times by eliminating long searches for documents buried in piles of old and rarely accessed information. Retention policies also reduce the storage capacity an organization needs, thus lowering IT costs.
  
  
• Security culture. The first line of defense against data loss or theft is the company employees. Data protection policies raise employees’ security awareness and respect for data privacy. Both contribute to a more secure work environment and better-protected data.

Common use cases for retention policy

Organizations of all sizes need protection against ransomware threats. Proper data protection allows customers to deploy solutions in everyday use cases:

• Improve decision making. Data retention policies enable organizations to have a single version of data truth, making it easy to quickly to analyze information and make decisions about arising issues.
  
  
• Regulatory compliance. Companies can use data retention policies to respond to audits and show compliance with data regulations through proper documentation and reporting.
  
  
• Revenue growth. Data retention policies give businesses better visibility into ways to reduce expenses, create new revenue streams and monetize data where appropriate.

Does Commvault support your retention policy?

Yes! Commvault supports data retention policies. The portfolio of solutions includes: VM & Kubernetes Backup, Database Backup, File & Object Backup, Microsoft 365 Backup, Salesforce Backup, and Endpoint Backup allow users to retain their data and set retention policies according to their requirements. Simple configuration wizards will help you set your retention policy while keeping your data safe and recoverable.