An Introduction to Data Retention
"Data Retention" is a term that's used in many different industries and settings, but it essentially boils down to this: how long do you keep your files? Which is an important question! It's an important question because it affects the efficiency of your business and compliance with industry regulations. If you don't know how long to keep your files, you're also likely not tracking them properly.
That means lost opportunities for growth. As well as potential fines for non-compliance with regulations like HIPAA, GLBA, or Sarbanes-Oxley (SOX).
In this post, we'll cover some basic questions about data retention policies including why they're important, best practices for data how to determine the length of time required for your company's file retention policy, and best practices for implementing one successfully. After reading this guide you'll never have trouble answering again "how long should I keep my data?"
FAQs About Data Retention
What is Data Retention?
Data retention is the act of storing data for a period of time.
What is a Data Retention Period?
The data retention period refers to the length of time that an organization retains its customers’ personal information (such as names, addresses and phone numbers).
Is Data Retention Required?
Data retention is a legal requirement in many jurisdictions including Europe, Australia and North America. The length of time you must retain data is dependent on the compliance and regulations you are trying to meet and your location (state/country) requires.
How are Data Retention Laws created?
Data Retention Laws are based on one or more of three pillars: Data Protection Laws; Privacy Laws; Consumer Protection Laws.
Why do you need a Data Retention Policy?
The reason to develop a file retention policy is simple: to comply with government regulations and industry standards, protect your company from litigation and security breaches, and preserve corporate data.
Data Retention Policy Best Practices
- First and foremost, do your research. Your requirements could cover different types of data which require different data retention policies depending on the regulation.
- Invest in an archiving solution for backups that can automate data retention policies for and take load off your team. If configured appropriately, you should have 2 locations for archival data in case one archive is compromised or fails.
- Consistently backup your data to keep your data retention location updated.
- Don’t hold data longer than is required. Doing so leaves your business open to additional risk because more data = more risk.
- Your policy should be part of the overall information security policy and should be maintained by a combination of IT and legal
- Data retention policies should be reviewed regularly to track changing requirements. Remaining in compliance is your responsibility and informing an auditor “we didn’t know the requirement changed,” is not an acceptable answer.
- Data retention policy should be updated as necessary, and as quickly as possible when changes occur.
A data retention policy should be communicated to all employees and customers whose data will be affected. This includes amendments and changes to the policy.
How to Determine your Data Retention Policy
The first step in creating a data retention policy is to determine your overall data retention period. This can be done by determining the type of data you have, and what level of risk is associated with that type of data. For example, if the information is considered sensitive (such as credit card numbers or social security numbers), then it’s likely that you will need to keep this information for a longer period than other types of information.
Risk-based approaches are becoming increasingly common, especially in industries where there are extensive regulatory requirements such as healthcare, Aerospace & Defense (A&D), and financial services. These industries must adhere to strict regulations regarding how long they should retain customer records before destroying them according to specific standards set forth by regulators like HIPAA or SOX (Sarbanes Oxley).
Once you know what kind of business operation you run and who your customers are–it becomes easier to determine how long certain types of data need to be kept around for both legal reasons and business reasons.
How Long Should You Keep Your Data?
Data retention policies should be compliant with industry regulations, but the length of time your business keeps data depends on your needs.
Keep in mind that keeping your data for too long can be harmful to your business. The longer you keep it, the more likely it is to contain sensitive information about individuals or groups—who may then choose not to do business with you.
Additionally, storing large amounts of data also takes up storage space and requires more time and money spent managing the information when needed.
Some Industry File Retention Requirements
Many industries have their own data retention requirements, ranging from the healthcare industry's HIPAA to the financial services industry's GLBA, FISMA, and more. One of the most important things to remember is that there are many different regulations governing how long you need to keep your records, so it's crucial that you consult with your lawyer or compliance officer before discarding any documents or files that may be required by law.
The best way to ensure compliance with these regulations is to implement a data retention policy that clearly outlines all of the requirements for your business. This will help ensure that you're following the rules and can mitigate any potential legal risks down the road.
For example, if you work in healthcare or financial services and your organization is subject to HIPAA or GLBA regulations, then you need to keep certain records for a minimum of six years. If you don't know what type of industry-specific data retention requirements might apply to your business, then it's best to consult with an attorney who specializes in IT security law so that they can help determine what your specific obligations are. Here's a few of the most common compliances Sharetru's clients must solve for and their retention policy:
- Gramm Leach Bliley Act (GLBA) Data Retention Requirements: 6 years
- Sarbanes-Oxley (SOX) Data Retention Requirements: Varies based on the type of information being stored. For instance, you must keep receivable or payable ledgers and tax returns for seven (7) years, customer invoices must be retained for five (5) years, and payroll records and bank statements must be kept forever.
- Medical Record File Retention Requirements: Strangely, there are no requirements in HIPAA for medical records, but CFR §164.316(b)(2) (i) stipulates how long HIPAA-related records should be retained. The documents must be retained for a minimum of six years from when the document was created, and if it's policy-based, then 6 years from the last date a policy was in effect. However, state-level requirement overrides a HIPAA requirement, so it's important to understand what your state requires.
- FISMA Data Retention Requirements: Contractors and federal agencies who are subject to FISMA must retain data for at least three (3) years.
- NIST 800-171 & NIST 800-53 Data Retention Requirements: SI-12 in NIST800-171 states companies must "manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." This means that data must be retained for the full life cycle of the information, and might extend beyond system disposal. National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules.
- FedRAMP Moderate Data Retention Requirements: Audit records are different from data retention, but most companies working to meet this compliance have a data retention policy in place of at least three (3) years to correspond with FISMA.
- GDPR Data Retention Requirements: Article 5(e) of GDPR states data collected must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” It's vague, and it seems as though you cannot hold data for very long, but additionally, it states you can store it longer "insofar as the personal data will FISMA be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).”
Next Steps for Your File Retention Policy
When it comes to data retention policies, there are a lot of factors to consider. The most important thing is you create a policy that works for your business and review it regularly so that it’s still relevant today and tomorrow.
Each individual business is responsible for setting the appropriate file retention rules. Whether they are using the Sharetru platform for compliant data retention, or any other. It's also important to double check your backup policies for long term archiving meet your compliance requirements.
Sharetru's secure file transfer platform has automated file retention rules per folder that allow you to easily delineate the retention policy across different folders. This ensures you can hold different types of data, and to remove the “delete” capability from users so you’re relying on your system settings. You can now eliminate user error—the chief cause of non-compliance! If you would like to use Sharetru for archival storage, get in touch with us today!
%20Logos%202022/sharetru-white-logo.svg){kind=logo}
