Does any business today think they do not need a data retention strategy? It’s not likely. The regulatory requirements around data retention and privacy are in the news almost daily. And the risks of not having a data retention strategy are well known.
Keep information too long, and you could be in violation of the law and subject to huge fines. Delete something you should have kept, and you could jeopardize an audit or legal investigation, and even damage your good name.
Why, then, do so many organizations still struggle with implementing a data retention strategy that works for their business? And most importantly, what can they do to solve the problem for the long term?
What are the main challenges in building a data retention strategy?
A data retention strategy is an important driver of a company’s ability to respond to regulatory, litigation, and consumer requirements. But there are barriers to creating and maintaining an effective strategy.
The rules keep changing.
The regulatory landscape is constantly shifting, especially as the influence of laws such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) grows. That makes ongoing compliance a moving target.
Data is growing at lightning speed.
At the same time, the amount of business data is growing exponentially, across an expanding range of technologies used for creating, sharing, and storing information. They include emerging platforms such as cloud-based computing, social media, and AI, as well as shared drives, groupware, email systems, files servers, and other common business tools.
In short, your organization’s data includes everything your employees create and every platform they use.
The temptation is to keep it all.
Because the sheer volume of data is overwhelming, organizations that don’t have good data policies in place tend to over-retain information — and that puts them at risk of:
- Increased exposure to audits or litigation
- Damage to reputation due to cyberattacks or breaches
- Increased IT and operational costs for storage, backup, and retrieval
- Decreased operational efficiency due to the volume of irrelevant data in circulation
It’s hard to keep a strategy up to date.
Even when companies have a data retention strategy, it’s easy to lose sight of the need to keep it refreshed and maintained for the long term. As organizations change and responsibilities shift, the retention program often falls by the wayside — until the next time a data retrieval or deletion issue costs time and money, or creates some other problem for the business.
Where does data retention strategy fall short?
These days, most businesses do have some type of data retention strategy. Generally, it consists of a retention schedule and policies associated with records that must be kept or deleted according to laws and regulations.
But where many organizations still fall short is in making their data retention strategy an integral part of the business mindset and its processes.
It is not enough to understand what information you need to keep and for how long. The challenge lies in knowing how to apply regulations and laws — and the related data retention obligations — across the organization.
In other words, you need a data retention strategy that is operationalized across the business to:
- Apply retention obligations — what information can and should be kept, and when it must be deleted — to all the data the organization collects or creates
- Document that data policies and procedures are consistent, transparent, and sustainable
- Evolve and scale as needed to continue meeting retention obligations as laws and regulations change
How do you create and operationalize a data retention strategy? Take 5 steps.
Data retention strategy is a vital component of information lifecycle management, or the governing of data from the time it is created or collected through the end of its life (deletion/disposal). It requires having the right retention policies in place, with the right governance on top of it.
Therefore, the process of building a strategy begins with specifying which information governance (IG) requirements apply to your data — including your retention and privacy obligations — and identifying the information that is subject to those requirements.
These five steps will aid in this process and help you operationalize a data retention strategy across your organization.
1. Identify the data regulatory requirements.
Gather regulatory intelligence to create a reliable source of retention and data privacy requirements, covering all the locations and businesses in which your organization operates. This step includes:
- Identifying the different classes of records you need to keep for regulatory, legal, and business purposes
- Creating a record taxonomy for naming the different record classes, for a consistent system of filing listings
2. Map out the business and geographic data regulations.
Map the organization’s data retention and privacy requirements to the different business or geographic locations where you operate, to:
- Pinpoint all the locations to which each requirement applies
- Determine which regulations may differ between locations, and how
- Identify the presence and sources of records and personal data to which your retention obligations apply
3. Maintain the data’s regulatory and organizational information.
Next, decide where data retention obligations will be housed and implement a system(s) for capturing and maintaining regulatory intelligence and the organizational locations (businesses and sources) of records, personal data, and other relevant information — creating, in effect, a data source catalog.
This step is crucial to maintaining and sustaining the strategy over time as data retention regulations and obligations change.
4. Identify the regulatory population.
Create an operating model for the ongoing identification and maintenance of the proper population of “regulated persons” — employees, users, consumers, clients, or anyone else whose communications are subject to retention and surveillance.
5. Communicate regulations to the organization.
The only way to sustain a data retention strategy is by communicating it to employees so they know what their retention obligations are, including the right nomenclature (record classes) to use and how long to keep information.
This vital step is where you educate employees on the strategy-based processes and accompanying technology that will be used to identify records and personal data in existing data stores, applications, and business tools.
What are the benefits of an operationalized data retention strategy?
An effective data retention strategy requires an operating model that includes people, processes, technology, and governance to all be aligned on requirements, roles, and responsibilities. That’s precisely why it can be so difficult to create a strategy that works for the business.
But done right, a data retention strategy that is operationalized across the organization not only addresses its record retention and disposal needs, but also an array of IG challenges — delivering benefits including:
- Knowing where all your data is and how to retrieve it as needed
- Being more responsive to litigation and consumer obligations as well as regulatory requirements
- Improving operational efficiency and time/cost savings by proactively managing data
- Minimizing legal, audit, and breach risks due to large amounts of retained data
- Reducing the costs of data storage, search, retrieval, and administration
- Seamlessly adapting to new, evolving, and increasingly global regulations
To learn more about data retention strategy or about information governance in general, please contact lynn@bernsteindatao.wpenginepowered.com.