A data retention policy is a set of guidelines that outline which types of data should be kept, and how long they should be retained to meet legal and compliance regulations. It is important to apply and enforce the data retention policy in a clear and uniform matter to reduce risk of spoliation and non-compliance. While data retention is mandated by some authorities, it can also benefit organizations by supporting the defensible deletion of data, which ultimately reduces the costs and risks associated with storing unnecessary data. If you have a firm data retention policy in place and can prove that you actually follow and enforce it, your organization will be in a better position in the event of litigation.
Reasons to Implement & Enforce a Data Retention Policy
- Comply with industry and government retention requirements
- Reduce storage costs
- Support defensible deletion
- Enable better search
- Increase productivity
- Reduce risk associated with keeping everything forever
When data is retained it is usually moved to an archive for the most economical storage and easier access. Although the archive is the main location for this data, data retention policies should also take backup copies into account. Data backups should never be retained for longer than you would reasonably use them for recovery because it essentially extends the retention timeline of the items contained in the backup, which can open your organization to legal and compliance risks. While some companies maintain that keeping everything forever is the best retention policy, there are many reasons to avoid this. First, it is very expensive to store this data, and there is also time and a cost associated with managing the data, backing it up repeatedly, and finding what you actually need. Second, old data can be a headache in the event of litigation. Old data (that could have been defensibly deleted) can now be held against you and result in an unfavorable judgement, fines, and damaged reputation. It is therefore best practice to dispose of data once it has been retained for the mandated retention period outlined in your data retention policy.
Considerations for building an electronic data retention policy:
- Data Type (Email, Files, Folders, IMs, etc.)
- Varying Retention periods (Federal, State, Industry)
- Industry regulations (SOX, HIPAA, FINRA, PCI DSS, etc.)
- Automatic deletion upon retention expiration
- Data Access
- Location of stored data
While a data retention policy should be established with input from your legal team and management, Bishop helps organizations ensure that the technology and information management policies support the retention goals of the company and are working properly for compliance. Bishop offers several solutions that can help you manage your data from creation to defensible disposal, and we provide support for retention management in Office 365 and Azure. To learn more about ensuring a sound retention policy for your organization, please contact Bishop!