In every aspect of business, data generation is growing at a staggering pace. But what to do with all the information once it’s in your systems? Managing your company’s data retention policy from the parallel perspectives of business value and data storage is never easy.
So, what are some solid principles when approaching your data retention policy? How can you differentiate between what is important and what is not? What about the information you must retain for regulatory compliance? And how diligently should you dispose of data once legally free to do so?
We spoke with attorney Peter Sloan of Information Governance Group for his insights.
Setting Your Data Retention Policy
Let’s begin by defining the concept. A data retention policy is an organization’s system of rules for holding, storing, and deleting the information it generates and otherwise handles.
Your organization’s data retention policy is generally designed in response to a combination of operational needs and regulatory requirements. It should be clearly documented and centrally owned.
Core components of a well-designed data retention policy include:
- An overview of the different types of information the business handles. Examples include customer data, financial reports, legal agreements, billing information, email, strategy documents, meeting notes, marketing collateral, and so on.
- Rules for how long different types of data should be retained. Also consider guidance on how the information should be stored. What’s your policy on encryption, not only for data in flight and data at rest, but data in use?
- A permissions-based framework specifying authorizations to access retained data. What is your protocol for setting access privileges, and how are you enforcing that? What about managing vendor and contractor access to data?
- An accurate and accessible description of the regulatory landscape. This may include an explanation of how your data retention policy ensures compliance.
- Clear protocol for the standards around the digital sanitization of the data. These should address the physical destruction of paper and (where necessary) electronic equipment. How do you ensure your media are being effectively wiped as per protocol? Have you performed due diligence on your ITAD provider?
Always seek professional advice on how to produce the most appropriate data retention policy for your organization. Pay close attention to how you handle customer data and personally identifiable information. Ensure you are not only fully complying with regulation in this area, but with appropriate methods for disposal when it is time to delete the data.
Understanding Defensible Disposition
Keep in mind that over-retention of information drives risk. Having a data retention policy in place is not carte blanche for keeping everything that technically falls within its limits.
“I can’t tell you how many times I’ve worked with organizations that have been the victims of a critical security incident or a data breach where the compromised system contained two or three times the data, sometimes even more, than for which there was any legal retention requirement or practical business need.”
Peter Sloan of Information Governance Group
Instead, Sloan advises business to practice the principle of defensible disposition, which dictates that data
a) that is not legally required to be retained due to an ordinary course of business retention requirement
b) that serves no meaningful or practicable business purpose, and
c) that is not subject to a pending preservation duty due to litigation
can and should be disposed of.
“Unnecessarily retained data, particularly unstructured data, multiplies data security exposures. Remember that once data has been compliantly disposed of, it cannot be compromised.” Defensible disposition is central to good information governance and healthy for the business, he says.
Compliance Connections: Security and Privacy
When it comes to customer information, maintaining data security and data privacy is essential. It’s more than just good practice: its the law.
Specific regulations will depend on your industry. Common regulations that apply to a range of sectors include HIPAA for healthcare data, and the Gramm-Leach-Bliley Act, which requires financial service providers to explain to their customers how their information is shared.
Despite industry variation, there’s a common thread. With much in our lives thoroughly digitized, cutting down on unnecessary data retention is an increasingly common condition for security and privacy compliance.
“Think of a data security law as having a toolbox of security controls in it” explains Sloan. “There’s another toolbox for data privacy laws. Requiring the disposal of unnecessary protected information can be a tool in either toolbox.”
The European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018, mandates tight standards for any organization holding the data of individuals in the EU, wherever that company operates in the world. GDPR’s principle of data minimization states that companies should hold no more personal data than is necessary or relevant to their business purpose.
The compliance landscape is complex and you should seek legal advice on your organization’s exact obligations. Even where your responsibilities are clear, adhering to them can be tough. According to a 2021 report by Integron, 31% of companies were not in compliance with GDPR, despite having had three years to do so. It appears that companies are struggling to find ways to integrate compliance measures into their operational protocols.
This challenge is faced by organizations across all sectors. Among IT asset disposition companies, requirements as apparently simple as having signed contracts in place to govern chain of custody when handling data-bearing IT equipment are proving hard to enact, according to insiders.
Evolution Of Data Governance In The United States
For many, it’s clear the United States is moving steadily in the direction of GDPR-style privacy protections.
Sloan agrees. If the conversation around information governance in the first decade of the new century focused on managing the costs of e-discovery and the past ten years have been increasingly centered around enterprise data security, the current decade will be the era of data privacy in the United States, he says. “It’s going to be a fundamentally different legal environment around what companies can do with protected information.”
The California Consumer Privacy Act was widely seen as the first step toward a more comprehensive approach to data privacy in the United States. Sure enough, Colorado, Connecticut, Utah, and Virginia have all passed comprehensive data privacy laws of their own. Iowa joined these states earlier this year, and an Illinois court has ruled that lack of a data retention schedule violates the state’s Biometric Information Privacy Act (BIPA).
“I am not predicting that United States law will perfectly mirror GDPR, but [by the end of this decade] United States law, particularly at the state level, will be a lot closer to a GDPR-type sensibility than it is now.”
Peter Sloan
He likens the process to how breach notification laws achieved steady adoption across the country after California enacted the first such state-level law.
“There have always been privacy frameworks in particular sectors, such as HIPAA for healthcare, Gramm-Leach-Bliley for financial institutions, and FERPA for education, but with the legislation now effective in California, and similar legislation which will move across the country over the next decade, it seems inevitable that the United States will move, to some degree, toward an EU-type sensibility to privacy.”
The Advent Of Unlimited Storage
For certain categories of data, you must retain the information for as long as stipulated by law. For other types of personal data, you should hold on to it no longer than is necessary.
But for much of the information your organization generates, it will be a matter of discretion under what conditions (and for how long) you retain it.
This throws open a Pandora’s box of approaches. Some industry players make the case for endless storage. Hold on to everything because at some point in the future it might yield commercial benefit, they say. Pointing to a future where the costs of storage are radically less expensive than today, David Friend, CEO of cloud storage firm Wasabi, predicts the emergence of a “bottomless cloud where the value of data is “amplified in countless ways” since the economic benefit of data always exceeds its cost.
“First generation providers of cloud storage were, and in many cases, still are, stuck in an industrial era mindset of scarcity,” Friend and co-author Tom Koulopoulos state. As storage technologies advance and costs fall, they predict a shift to an abundance mindset. Eventually, nobody will think twice about whether or not to keep data. Storage will be a commodity in the way that most telecommunications are today in the developed world.
Sometimes Less is More
For Sloan, by contrast, endless repositories of data are accidents waiting to happen. He points out that the more data you have, the more costly it will likely prove if it becomes subject to a legal process.
“Unstructured data can be extremely expensive in litigation. The cost of processing data subject to a litigation preservation duty is immense: identifying it, locating it, preserving it, collecting it, and processing it with automated tools, maybe some analytics, until it’s ready for human eyes to look at.”
What are the consequences of a sloppy or nonexistent data retention policy? Look no further than SkyMed, a company which sells membership plans to cover emergency travel and medical evacuation.
Back in 2019, a security researcher discovered that SkyMed had 130,000 membership records in an unsecured cloud database. It didn’t take long for the FTC to come knocking: it alleged SkyMed had “failed to have a policy, procedure, or practice” for deleting unnecessary personal information. In a 2021 settlement and consent agreement with SkyMed, they were required to implement, maintain, and document security safeguards.
Legal considerations aside, there’s certainly money to be made in the analysis of endlessly streaming data. However, when it comes to deep learning algorithms, there’s reason to believe that quality of data, as opposed to mere quantity, makes a big difference in results. The better curated and better tended the target repository, the better the results will be.
Assessing Data Storage Considerations
The value of data changes over time. A file or an email that contains the seeds of your company’s future success may itself hold little intrinsic value, other than archival curiosity, five years from now. Many images and videos have high immediate value for sharing but quickly cool, sometimes within minutes. And it’s not just what to store, but where to store the data and how rapidly (and inexpensively) it can be accessed.
According to the IDC, approximately 60% of corporate data is ‘cold,’ about 30% ‘warm’ and 10% ‘hot’. “Organizations have typically faced a tradeoff between the cost of storing ever increasing amounts of data and the speed at which they can access the data,” stated Phil Goodwin, director of research at IDC in a press release. In any event, it’s important to have a clear handle on where your most important data lives at any given time, and how rapidly (and at what cost) it can be queried or retrieved.
And, while it may not be wise, sensible, or necessary to retain everything, having a sense of what categories of data to keep for the longer term may prove your competitive differentiator a decade out.
Chisels Not Chainsaws
This raises important questions of how to ensure that the right data is being deleted under the terms of your data retention policy.
Much of the difficulty involves the sheer quantity of files in question. Sorting through them all requires software tools which can classify files. These tools should identify which ones contain personal information which could lead to liability. However, the responsibility for developing a Data Retention Policy and using tools in harmony with it ultimately rests on human beings.
“Often when an IT team is asked to deal with too many unstructured files or too much email, it doesn’t have the vantage point to properly understand the content—so the team defaults to a proxy rule, such as ‘last accessed’ or ‘age of file’,” Sloan says. “But that’s taking a chainsaw, not a chisel, to the problem.”
“Data retention should turn upon the content and context of the information,” he continues. “For example, the two least accessed and perhaps oldest documents in your home might be your will and your life insurance policy. In this instance, it’s probably not a good idea to be disposing of your household paperwork based on the age of documents and when they were last accessed.”
Instead, when it comes to software which classifies and sorts files, there should be rules for tools and oversight of how the tools are used.
Ensuring Compliance Through A Data Governance Framework
The ongoing enforcement and refinement of your data retention policy requires hard work and leadership. Organizations should apply dedicated focus to their information governance.
Most valuable of all is building a culture that values data security. Make sure you energetically and enthusiastically communicate your company’s approach to data management to all stakeholders. Your people are not programmable computers, and are making thousands of independent decisions every day—good decisions and not such good ones. Through regular training and communication, invest in them as fervently as you do your technology.
“Just as data security largely turns upon human vulnerabilities, determining whether an organization has effective control over its data retention turns upon human behavior,” remarks Sloan. “IT tools are invaluable, but they didn’t cause the problem on their own and they don’t solve the problem on their own. There needs to be a governance strategy.”
“Think about the time, attention, focus, and process wrapped around how most organizations manage their key business assets,” he says. “Think about how they manage their capital, their people, and their equipment. Why not devote that same focus, attention, and level of prioritization to managing your information?”
From every angle, businesses need to take a proactive and managed approach to data management. Then they can extract maximum advantage while remaining compliant with the regulatory environment. Just remember, the longer you keep the data, the greater the potential exposure in the event of a breach. At a fundamental level, data storage management is a delicate balancing act.
The management of your data retention policy is a critical driver of your company’s fortunes, now and into the future.
RELATED READING
To reduce the risk of potential data exposure, it’s also essential to follow best practices when handling old drives. This should be a golden rule, from individual drives to whole data centers. Our eBooks and checklists can help you develop an airtight data sanitization process that works for you.
