Any discussion about data retention invariably includes a legal factor, which makes it a topic IT professionals tend to avoid or shy away from. Frankly, no one can blame them, as decisions regarding what data can be deleted carry serious legal implications. On the other hand, failing to make data retention decisions increases storage costs and can also lead to legal ramifications. With this context in mind, this article will outline considerations for developing a data retention policy.
For the purposes of discussion, the term "record" in this article refers to computer system data with business significance, not all data. Although paper records share similar characteristics, this discussion focuses on computer system data.
The Significance of a Data Retention Policy
There are three main goals of an electronic data retention strategy, summarized as follows:
To preserve important records and documents for future use and searchability
To dispose of records and documents that are no longer needed
To organize records for future access
When we analyze the above list further, we quickly realize that the first point is the primary reason for data retention. We retain data because we believe it may be needed later (as it represents a wealth of knowledge and resources) or for legal reasons. The second point highlights why we need a strategy — we do not want to retain all data indefinitely unless absolutely necessary. The third point emphasizes that if we cannot locate and access records when needed, simply retaining them is meaningless.
Motivation for Data Retention Policies
The purpose of a data retention policy has already been clearly stated. However, there are still business factors that influence it:
Reducing the amount of data to save costs
Simplifying data management at a lower cost
Compliance with regulations (legal regulations, privacy protection)
Reducing data storage costs may drive many data retention policy initiatives. In addition to simple storage costs, there are costs associated with managing complex storage and backup environments, as well as impacts on data center growth. While data deduplication technologies help to some extent, they mainly reduce impact rather than address the root cause. In other words, compressing data is important, but reducing the volume of data that needs compression is better.
Which Data Should Be Retained and Which Should Be Deleted?
The first consideration for data retention is regulatory compliance: what data your company is legally required to retain and for how long. When developing a data retention strategy, an initial data classification is needed. Some key points for classification include:
Is the data a temporary record?Log files, drafts, and copies of working documents may be classified as temporary records and are unlikely to be long-term storage candidates.
Is the data primarily composed of knowledge attributes? Such data should be retained as long as it remains useful, until it becomes obsolete.
Is the data a long-term record? Documents such as contracts, tax returns, patient information, or trade secrets must be retained for specified periods, sometimes indefinitely.
Is the data subject to information freedom and privacy protection laws? In such cases, documents must be retained for specific periods before mandatory destruction.
Is it legitimate business data? Employees often store personal, non-business data, such as audio or video files, on company storage devices.
Is the data subject to legal discovery in legal activities? In some cases, the absence of a clear data retention policy can be challenging for defendants and increase the cost of document discovery, as locating litigation-relevant documents requires finding all related documents.
The last point mentioned should be the strongest motivation for developing a comprehensive and enforceable data retention policy. Some data, like tax records, must legally be retained for specific periods, while other data must be deleted. For example, in April 2006, new rules on key evidence and electronic discovery issued by the U.S. Supreme Court stated that companies are not required to retain all data indefinitely. The rule specifies that if a company can demonstrate that its data deletion was a predictable, repeatable business process, it can be exempt. Standardized, routine, automated, and verifiable email deletion may be the best example of such behavior. It is worth emphasizing that while data retention policies must be comprehensible, they should also be manageable and enforceable. To achieve this, data classification should be limited to a small range.
Managing Data Retention Policies
We have discussed the goals, motivations, and key points for selecting data for a retention policy, but there remains a question: who is responsible for creating and managing this policy? Returning to the era of paper document management, this responsibility fell to records managers, a role that has disappeared in many companies along with paper records. Developing a policy requires collaboration among storage administrators, application leaders, and executive staff. In practice, the IT department may need to lead efforts to promote and manage data retention as a means of controlling storage growth.
The policy itself should not be complex, but rather summarized in a document outlining compliance with the policy and details on data retention. As mentioned earlier, the policy must be manageable and enforceable. Initially, it should focus on data that can or must be deleted, and then expand as needed. Policy documentation must be reviewed by the company's legal counsel and supported by all management departments. It should be treated as a company-wide policy, not an IT best practice document. Revisions are necessary, so the policy should be reviewed annually to ensure its continued relevance. Data discovery and archiving software can play a role here, as no one wants to manually search and delete data. Automation software ensures compliance by identifying, migrating, and eventually deleting data (e.g., archiving storage).
Data retention, and more importantly, data deletion, is a complex task that should not be taken lightly. Data that does not need to be retained should be deleted once it is confirmed not to be legally required. It must be emphasized once again that seeking legal advice is necessary. Organizations should not avoid this important yet simple task just because they are unfamiliar with laws and regulations. The benefits of a comprehensible data retention policy far outweigh the efforts involved in its creation and implementation.
Always Back Up Critical Data
When developing and enforcing data retention policies, using the right tools can significantly simplify the management process and improve compliance. Vinchin Backup & Recovery is a comprehensive data protection solution designed to safeguard virtualized, cloud, and physical environments. It supports a wide range of platforms, including VMware, Hyper-V, Proxmox, XenServer, oVirt, and more. The software offers features such as data deduplication, compression, and flexible backup and recovery options to ensure optimized storage utilization and rapid recovery.
It also provides flexible data retention methods, supporting the retention of backup data by day, by number of backup points, or by backup chain. This mechanism can be adapted to various application scenarios and different RTO/RPO policies, which greatly enhances the flexibility and convenience of data management.
It's quite easy to backup VMs with Vinchin Backup & Recovery:
1. Select the backup object.
2. Select backup destination.
3. Configure backup strategies.
4. Review and submit the job.
Here is a full-featured 60-day trial below! Or, contact us with your requirements, and you will receive a tailored solution for your IT landscape.
Data Retention Policy FAQs
1. Q: How long should data be retained?
The retention period varies depending on the type of data, industry regulations, and organizational needs. Policies are typically guided by laws, industry standards, and internal requirements such as GDPR, CCPA, and other regulations.
2. Q: How is data retention different from data archiving?
Data retention defines how long data is kept, while data archiving refers to moving data that is no longer actively used to a storage system for long-term retention.
Conclusion
A data retention policy is more than just a compliance tool; it is a strategic asset that protects data, mitigates risks, and optimizes costs. By establishing clear retention guidelines, you can navigate complex regulatory landscapes, secure sensitive data, and maintain operational efficiency. Proactive and strategic implementation of data retention policies not only minimizes risks but also lays the foundation for a more efficient and resilient data management approach.
