17 DECEMBER 2020
Does any business today think they do not need a data retention strategy? It’s not likely. The regulatory requirements around data retention and privacy are in the news almost daily. And the risks of not having a data retention strategy are well known.
Keep information too long, and you could be in violation of the law and subject to huge fines. Delete something you should have kept, and you could jeopardize an audit or legal investigation, and even damage your good name.
Why, then, do so many organizations still struggle with implementing a data retention strategy that works for their business? And most importantly, what can they do to solve the problem for the long term?
A data retention strategy is an important driver of a company’s ability to respond to regulatory, litigation, and consumer requirements. But there are barriers to creating and maintaining an effective strategy.
The regulatory landscape is constantly shifting, especially as the influence of laws such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) grows. That makes ongoing compliance a moving target.
At the same time, the amount of business data is growing exponentially, across an expanding range of technologies used for creating, sharing, and storing information. They include emerging platforms such as cloud-based computing, social media, and AI, as well as shared drives, groupware, email systems, files servers, and other common business tools.
In short, your organization’s data includes everything your employees create and every platform they use.
Because the sheer volume of data is overwhelming, organizations that don’t have good data policies in place tend to over-retain information — and that puts them at risk of:
Even when companies have a data retention strategy, it’s easy to lose sight of the need to keep it refreshed and maintained for the long term. As organizations change and responsibilities shift, the retention program often falls by the wayside — until the next time a data retrieval or deletion issue costs time and money, or creates some other problem for the business.
These days, most businesses do have some type of data retention strategy. Generally, it consists of a retention schedule and policies associated with records that must be kept or deleted according to laws and regulations.
But where many organizations still fall short is in making their data retention strategy an integral part of the business mindset and its processes.
It is not enough to understand what information you need to keep and for how long. The challenge lies in knowing how to apply regulations and laws — and the related data retention obligations — across the organization.
In other words, you need a data retention strategy that is operationalized across the business to:
Data retention strategy is a vital component of information lifecycle management, or the governing of data from the time it is created or collected through the end of its life (deletion/disposal). It requires having the right retention policies in place, with the right governance on top of it.
Therefore, the process of building a strategy begins with specifying which information governance (IG) requirements apply to your data — including your retention and privacy obligations — and identifying the information that is subject to those requirements.
These five steps will aid in this process and help you operationalize a data retention strategy across your organization.
Gather regulatory intelligence to create a reliable source of retention and data privacy requirements, covering all the locations and businesses in which your organization operates. This step includes:
Map the organization’s data retention and privacy requirements to the different business or geographic locations where you operate, to:
Next, decide where data retention obligations will be housed and implement a system(s) for capturing and maintaining regulatory intelligence and the organizational locations (businesses and sources) of records, personal data, and other relevant information — creating, in effect, a data source catalog.
This step is crucial to maintaining and sustaining the strategy over time as data retention regulations and obligations change.
Create an operating model for the ongoing identification and maintenance of the proper population of “regulated persons” — employees, users, consumers, clients, or anyone else whose communications are subject to retention and surveillance.
The only way to sustain a data retention strategy is by communicating it to employees so they know what their retention obligations are, including the right nomenclature (record classes) to use and how long to keep information.
This vital step is where you educate employees on the strategy-based processes and accompanying technology that will be used to identify records and personal data in existing data stores, applications, and business tools.
An effective data retention strategy requires an operating model that includes people, processes, technology, and governance to all be aligned on requirements, roles, and responsibilities. That’s precisely why it can be so difficult to create a strategy that works for the business.
But done right, a data retention strategy that is operationalized across the organization not only addresses its record retention and disposal needs, but also an array of IG challenges — delivering benefits including: