How to Stay Ahead of Data Retention Requirements – Part 1

Record keeping tasks such as data retention and disposal are an essential part of business management and regulatory compliance. 

At its core, data retention is about data control—meaning that an organization has taken steps to identify data throughout its organization, and then assess its importance, determine how long it will keep it, and then dispose of it. This topic also forces a discussion about how to access data, and how to protect data, but it is important to clarify that “data retention” from a compliance or regulatory perspective, is mostly about data governance and does not necessarily specify tools or data management tools.

Why retain data?

In today’s world of highly sensitive data categories (e.g. privacy, health, cardholder, financial, tax, etc.) and increasing regulations, organizations are being forced to clarify data management practices and make certain they take retention rules into consideration.

Regardless of whether a business is required to have extensive retention rules, they may find that their customers, vendors, or partners have requirements and include downflow requirements in contracts and agreements that affect your business practices.

Before an audit or an external assessment occurs, it would be prudent to consider best practices and strategies that are most likely to impact your business.

In this series, we will review data retention requirements and challenges as well as some best practices to overcome them.    

Regulatory requirements

Regulations and compliance programs across the business spectrum address data management and data retention. If you are not already facing specific regulatory requirements, then you should consider those regulations that impact your clients and partners.

You won’t have to look far.

For example, in the United States, securities broker-dealers must retain customer account records for at least six years after the account is closed. Financial institutions, casinos and other businesses must retain records required by the Bank Secrecy Act for a period of five years. Additionally, bank records that are not authorized for destruction after a specific period of time must be retained permanently.

Companies outside the financial services industry have similar obligations. Employers subject to the Fair Labor Standards Act must retain payroll records for at least three years, and the Equal Employment Opportunity Commission requires private employers to retain personnel records for one year after the employment ends.

The following table outlines some common regulatory / compliance sources by business category and includes a snippet of retention language from rules or standards.

Regulation-Compliance program
Retention language samples
Impacts any business that works with credit cards, or credit card processing, to protect cardholder data.
Banks, retail, anyone accepting payment via credit cards, financial transaction processors.
PCI DSS 3.1 – limit protected cardholder data storage to limits specified in company policy, and in alignment with legal or regulatory constraint.
Banks and financial institutions must meet minimum standards for data processing security to protect privacy, confidentiality, and availability of information.
Banks, financial institutions, insurance, lenders.
FFIEC – II.C.22 – Policies should define retention periods for security and operational logs. Institutions maintain event logs to understand an incident or cyber event after it occurs.
Impacts any business in the healthcare industry to protect the confidentiality of healthcare data.
Hospitals, doctor’s offices, medical services, healthcare billing, health research, Insurance.
§ 164.105 A covered entity must retain the documentation as required for 6 years from the date of its creation or the date when it last was in effect, whichever is later. § 164.512 An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law.
FISMA[IV]/NIST 800-171
Addresses security of all IT systems storing or processing government data.
Federal agencies, state organizations, any contractors to federal government organizations that process / store government data.
NIST 800-53, SI-11 – the organization handles information within the information system; handles output from the information system, retains information within the information system; and retains output from the information system.
State/Government laws on Privacy
Impacts any business that has information that includes personally identifying information.
Any business with data related to the jurisdiction.
Rhode Island – IDENTITY THEFT PROTECTION law (2015)[V]
11-49.3-2. A municipal agency, state agency, or person shall not retain personal information for a period longer than is reasonably required to provide the services requested, to meet the purpose for which it was collected, or in accordance with a written retention policy or as may be required by law. A municipal agency, state agency, or person shall destroy all personal information, regardless of the medium that such information is in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or erasure.

There is some commonality to all the programs listed above.

First, all these regulations presume that data management is performed as a core function of the organization. Second, compliance with these rules address IT governance and controls towards protecting and maintaining data and processing systems.

A compliance approach for data retention

Applying security controls prescribed by regulations and compliance programs can be challenging.

For instance, failure to retain sensitive data or recall subject data on demand can result in significant fines [vi] and certainly harsh assessment actions. As such, it is important for organizations to create a comprehensive data retention plan.

Identify your data

Data must be identified within systems. For instance: regulated privacy information, or cardholder data, is associated with systems and networks. Assessment of data should be specific enough to determine when/where the data enters the systems, if it is transformed and possibly captured in logs and databases, and where it is physically and logically located.

The assessment process might generate artifacts such as a Privacy Impact Assessment (PIA) or data flow diagrams that illustrate where/when data is moved or stored. Assessment should include addressing any specific requirements from regulation or contracts for retention periods.

Secure your data

Those systems with identified data should have strong security (addressing Confidentiality, Availability, and Integrity) to provide assurance that data is protected and accessible to appropriate parties.

For sensitive data, such as privacy information or customer data, this might imply strong access controls, logging of access and important transactions, and —very typically—the use of encryption for data in transit or at rest.

Typically, strong security is evidenced with access control procedures, capacity assessment for data retention, encryption processes, and backup and restore procedures.

Deploy security systems

Security management/governance of the systems must be applied and verified. This means the organization setup policies, procedures, and retention schedules to address security and oversight of the sensitive data it possesses. These controls typically include the company-specific methods of managing security, and often relate to service level agreements (SLA) or other imposed quality controls.

For instance, addressing business continuity and disaster recovery typically requires backups of important data. Policy and procedures dictate the retention period of data stored in backups or in log files. Standards specify the type of encryption used by the company in data storage and transit.

Delete retained data

Permanent deletion of the retained data must also be part of any retention policy. This is particularly challenging if data is determined to exist in transaction logs or backed up in multiple systems. One common method to address secure deletion of data is done by encrypting the data when stored, and then deleting the encryption key after a specified retention period. Otherwise, it will be important to prepare for how backups of combined records might be stored and disposed of.  

To verify how these policies or procedures are implemented, the company should document standards, train staff, and test controls, (e.g. backup and restore capabilities) to verify they work as planned.

Summing it up

It is clear that data retention policies are a challenge for organizations. Taking a compliance approach for data retention is becoming increasingly important for businesses but it involves organizational changes.

The next part in this series will specify some of the common challenges with data retention that organizations will have to address as well as some best practices and strategies to tackle them.

[i] PCI Standards Council is a coalition of major brands of credit cards. The Data Security Standard (DSS) provides the exact language of the controls expected.[ii] Federal Financial Institutions Examination Council (FFIEC) a formal interagency body empowered to prescribe uniform principles, standards, and report forms for banks and credit unions. See


Gramm-Leach-Bliley Act (GLBA) – The act, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the federal banking agencies to establish information security standards for financial institutions.


National Credit Union Administration 12 CFR Part 749: Record Preservation Program and Record Retention, Appendix A and B (N/A)

[iii]  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

[iv] Federal Information Security Management Act (FISMA) points to NIST 800-53 which provides details on security requirements. NIST 800-171 is a subset of 800-53 for the scope of businesses doing business with federal clients and maintaining federal information.

[v] Rhode Island Senate Bill 134 (2015)

[vi] Particularly for regulations such as HIPAA and programs like PCI. PCI fines range from $5,000 to $100,000 a month.

ViolationAmount per violationViolations of an identical provision in a calendar year
Did Not Know$100 – $50,000$1,500,000
Reasonable Cause$1,000 – $50,000$1,500,000
Willful Neglect — Corrected$10,000 – $50,000$1,500,000
Willful Neglect — Not Corrected$50,000$1,500,000

Source: HHS, Federal

Get started for free

Completely free for 14 days, no strings attached.