An enterprise data management strategy isn’t complete unless it includes an effective data retention policy.
A data retention policy (DRP) is simple, yet often disarmingly so. In essence, a DRP is a system of rules for holding, storing, and deleting the information an organization generates and handles. What is far from simple is building a data retention policy that’s comprehensive, manageable, and compatible with current and evolving legal, industry, and government demands.
DRP policies not only reduce an organization’s risk of running afoul of mandated requirements, but they can also add enormous value. Data governance reduces the costs associated with compliance and investigation, as well as potential downstream litigation, explains Andy Gandhi, a managing director at corporate investigation and risk consulting firm Kroll. “It also reduces internal costs associated with hardware for storing unnecessary data on servers … as well as staff to manage the data and servers,” added Gandhi, who’s also the global leader of Kroll’s data insights and forensics practice.
A DRP is also fundamental for knowledge development, says Pedro Ferreira, an associate professor of information systems at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy. “A good DRP will store all data collected in ways that can be used in the future,” he notes.
When legal, regulatory, or security issues arise, it’s too late to begin thinking about getting the organization’s data in order, warns Scott Read, risk and financial advisory information governance leader at IT and business consulting firm Deloitte. “The digital landfill that most organizations are sitting on, be it in on-prem data centers or scattered across the cloud, is a ticking time bomb of cost and risk.”
Read recommends proactively managing and modifying data in combination with normal, defensive business processes driven by data retention policies to limit the company’s exposure to adverse events. In addition, organizations need to learn how to efficiently create, use, and dispose of obsolete records in order to operate smoothly and in an orderly manner. “Data retention policies and retention schedules are important tools for establishing efficient, normal business processes,” he says.
The first step in creating a comprehensive DRP strategy is to identify the specific business needs that your retention policy needs to address. The next step is to review the compliance regulations that apply to your entire organization. “We will nominate a team of individuals across different business practices to initiate a data inventory and devise a plan to implement and maintain a data retention policy that meets business requirements while complying with compliance regulations,” Gandhi said. I will advise you.
There is no one-size-fits-all way to build a data retention policy. “The key to effective compliance is to establish, implement, and maintain programs using well-defined protocols,” Gandhi said. This approach, in any form, should be flexible enough to meet your business requirements and strategies while protecting your data.
Identify and wrap the most important datasets to prevent the data policy from being overwhelmed with extra information. Recommended by Mitch Kavalsky, Senior Director of Security Governance, Risk and Compliance at Sungard Availability Services, a data recovery service provider. “We need to prioritize sensitive data such as personnel and financial records,” he advises. “If data is important to your business, it’s likely to be most important to your regulator, and your policy must ensure that these datasets are addressed.”