In part 1 of this series, we tried to outline what data retention is and why it is needed to overcome increasing requirements for various regulatory standards. As detailed, there are some clear guidelines for organizations to take what we called a “data retention approach for compliance”.
In this follow up post, outline some specific technological and procedural challenges you might face as well as some practical guidelines and strategies to overcome them.
Data Retention Challenges
There are a number of important challenges with data retention that many organizations will have to address. Some of the common ones are listed here:
- Requirements for different data classifications from various sources can proliferate. Be cautious about accepting categorization from different customers, regulations, and other security programs for alignment with their data classifications (for instance: PII, PHI, and PD are all categories of privacy data from different regulations).
- Requirements for retention and disposal should be balanced by your organization’s needs and requirements. You may find requirements from customers are in conflict (e.g. retain nothing longer than 90 days vs. retention should be at least 180 days). An ability to address these different requirements is a resource and management issue.
- Identifying sensitive data can be hard. It may feel easier to just protect all your data at a common/higher than required security classification. This may backfire if the costs for encryption, or retention, are difficult to scale.
- Your retention schedule says you keep data for a specific period, but you’ve never deleted anything. Remember that audits, regulatory orders, and assessments often review any data you have retained, regardless of retention schedule. This may not concern you, but your customers may have strong feelings otherwise.
Data Retention Strategies
Organizations that operate with minimal personnel and resources might not see much immediate value in data management activities such as data retention.
They may associate “saving” (or not disposing of) data with being sufficient. However, if security, compliance, or legal requirements arise, saving all data may not be sufficient since data governance activities imply the organization tracks its data, protects data based on importance, and has disposed of information that is no longer needed.
Some strategies that can help are:
- Assess company data for customer/regulatory categories to find a balanced approach to data classification within your organization. If a data set maintained by your organization is critical for your and your clients’ business, then it may suffice to be classified with a single category. Having fewer categories may be more useful to staff who are expected to take actions based on the classification. If you do classify different data sets as one, provide guidance for staff and assessors on how the approach is consistent.
- Businesses that process multiple clients’ data and offer service level agreement (SLA) should consider a single retention schedule for customer data/backups/logs instead of negotiating different schedules for each client.
- Carefully identify proprietary or intellectual property. That information may require special protections regardless of retention archive/disposal schedule.
- Double check federal and state regulation and industry trade groups for changes to compliance requirements for your/your customer industries. This should be done at least annually to pick up on important changes to retention requirements on topics like privacy data.
- Identify data that must be kept for legal compliance (e.g. discovery) requirements to ensure the data is retained appropriately (i.e. you may need to archive rather than dispose of data after a certain retention time).
- Examine all data sets in the company to examine possible value and risk to the company. When you find data that has no particular value or risk, you may be able to dispose of it immediately—and that could save your organization requirements for data storage and maintenance.
A few technical pointers
One common data retention best practice is to automate specific actions which help ensure the retention policy. To do that, however, often requires that you electronically classify or segregate data to ensure that the auto-retention processes (autodelete for example) are performing on the correct data set. Therefore, you must work with your data and network staff to implement tactics for improving segregation of sensitive data as well as improving integration with technologies that can help identify sensitive data in your environment.
Rather than trying to implement an enterprise-wide data retention program, it may be advantageous to automate retention for a specific data category or type.
Ensure that any data retained (such as for contractual purposes) is maintained in a searchable/usable fashion. This may result in needing tools to help index or encrypt data on the fly.
The cost of retention of large data sets is not insignificant, and many IT organizations find the costs become a limitation of the retention program. The solution to this is to find and use tools that improve the ability to compress and de-duplicate data wherever possible.
Retention requirements for your business may have direct requirements dictated by your industry or may be inherited through customers or other legal relationships. The goal of your business is to address retention as part of data management by identifying what, where, and how data is stored, classified, and deleted. A major artifact of data management is creating policies and procedures to help guide your staff and help you to select automation that can facilitate data management.