Data Backups Could be Your Company's Most Important Decision

Establishing a Data Retention Policy

Dear Data-Diligent Reader,

Establishing a policy on how long data must be retained sounds easy enough. It isn't. For starters, not all data is the same.  If you are protecting everything, or are uncertain if data is being protected properly, then it is time to build and implement a data retention policy.

Some companies realize they need a proper data retention policy when they examine their storage costs.  Others realize gaps when they go through a litigation hold.

What happens if your company requires you to retain certain data forever? One company’s IT director related how for several years they had been forbidden to overwrite any data related to e-mail, home directories, financial systems and several other document repositories and systems. Being barred from overwriting backup tapes comes at a cost – they were spending about US$40,000 a month just for new tapes. More costs arose because they were prohibited from overwriting the hard drives of departed employees. At least that cost was alleviated recently with a new initiative to capture images of those hard drives before reassigning them to other employees.  It wasn’t until the IT director spoke to the company’s inside counsel that they created an appropriate retention policy that allowed them to move away from their “protect everything” policy.

Data retention policies are fairly straightforward documents that establish how long information must be kept on hand, unaltered. The problem is that different types of data must be retained for different lengths of time. Most data-retention policies open with a policy statement, followed by a retention schedule that lists every possible type of information that the company could have in its stores and the required retention period. There are also special instructions for archiving and for the ultimate destruction of the data, once the time limit has been exceeded. The policy is also likely to include procedures for retaining information when litigation is under way.

A comprehensive data-retention schedule requires a considerable amount of data-gathering. For example, you need to know the general nature of all data held in servers, in storage, on backup tapes and on individual PCs. That includes both active data — e-mail, chat logs, UNIX system logs, and firewall and VPN logs, for example — and inactive data such as documentation related to sales, service, legal and finance.

Another complication arises from being a global organization.  You need to look across the various markets that you serve and understand relevant data retention and privacy requirements. Some regulations extend to e-mail messages containing price negotiations. The key is to develop a policy to keep employees from deleting data that they think would hurt the company if discovered.

Creating a data retention policy is not easy.  Just identifying the various data custodians can be a challenge. But this shouldn’t be a task that you ignore.  Just like having a good disaster recovery plan, having a data retention policy will pay dividends, both when it comes to finding and presenting the data that you need in a hurry, and through storage cost reductions.    Here is link to a good article that can help you get started.

We would love to hear your thoughts. Please comment below!

Benefit from our expertise… DOWNLOAD FREE ARTICLE: "The Truth About the HIPAA Security Rule, The HITECH Act and Data Backup". Attend our Complimentary Live Webinars on data protection, online data backup and recovery and data security. Register today! Or, view one of our Pre-Recorded Webinars.

Comments are closed.