Solving data retention is a complex problem. Companies retain all kinds of data for different purposes, each requiring different retention rules for distinct types of information. Adding another layer of complexity, data retention laws and regulations vary not only by the type of data but also by geography. Country-specific laws dictate how long an organization needs to retain some data and when to eliminate other data. In addition, specific data may need to be retained for a legal hold that would supersede a country or data-type retention regulation.
What is Data Lifecycle Management
The terms Data Records Management, Data Lifecycle Management, and Data Retention Management are often used interchangeably, but they all refer to the fact that data has an expiration date. There are laws and regulations about how long data can be saved, when it must be deleted, and regulations that say specific information must be saved for a minimum period of time.
Information Regulations by Industry and Type of Data
Across all industries, organizations need to maintain compliance with different retention regulations that vary by industry, country, or even by state for information such as:
● Tax records
● Medical records
● Human resources records
● Customer information
● Accounting data
● Environmental data
● Personal data
An example: Data Retention in Healthcare
In the United States, regulations vary depending on the state. States may require that health practitioners save medical records for a minimum of 5-10 years. For adults, 7 years is standard. Some retention laws may say that a minor’s medical records must be kept for 10 years, but if they are under 20 years old, the records must be retained until they turn 20. In addition, there may be different laws by hospitals and/or doctors’ offices.
Where to Start with Data Retention
Organizations need to know what kind of data they have, what regulations apply, and how to establish and execute policies for compliance. For organizations operating multi-nationally, adhering to various country regulations is even more complex.
At any given time, retention laws may be added or altered, so Chief Data Officers (CDOs) need to stay current with retention laws to adjust and execute new policies for their company.
Who owns Data Retention?
Is data retention an IT initiative, a business problem, or a governance problem? Should data retention be dictated by the business leaders, legal, privacy, or security teams?
Data retention applies to all parts of the business for different initiatives and priorities. A complete data lifecycle management program will consider the business processes and business needs of stakeholders.
CDOs are more frequently tasked with owning data lifecycle management with data governance priorities. A challenge that a CDO faces in establishing a data retention program is that in addition to complying with various regulations, they will realize that some of their stakeholders may have conflicting motivations.
● An IT team wants to move or delete data to save costs, reduce risk, and streamline data environments.
● A security team wants to delete unnecessary and expired data to reduce the risk of a data breach.
● Business owners, analysts, and data scientists want to hold data for as long as possible to have more data for modeling and analysis.
● Data & analytics managers want to delete expired data so that it is not used for analysis and does not clutter their workspace.
● A privacy team wants to remove personal data for compliance.
● A legal team wants to preserve specific data for a legal case.
Because organizations are working with roles that may have conflicting priorities about data lifecycle management, it is important to have consistent, documented policies about when data will be retained and when data must be deleted.
Applying Technology to Automate Data Retention
Technology solutions are available to automate the complex task of applying data retention policies. Organizations first need to discover and classify information to know the data and relevant policies to apply data retention. Advanced artificial intelligence (AI) solutions help automate discovery and classification to identify and match the data to the relevant policy.
As organizations have vast amounts of data, applying technology solutions to assist with lifecycle management is a recommended best practice to maintain a data retention program with the scale and speed needed for compliance. There are solutions specifically dedicated to documenting current retention laws in a way that organizations can apply them.
These security solutions help companies maintain retention compliance without needing a full legal staff to keep up with changing regulations. Automating data discovery and applying policy tracking is more efficient and accurate than tackling the problem with manual effort.
Executing a Data Retention Initiative
Organizations need a way to:
● Identify the data in their environment — and know what it is and where it is.
● Know which retention laws apply to the data under their control.
● Execute retention policies to ensure that data is retained or removed for compliance.
● Stay current on the laws and regulations that apply to the data they manage.
● Update retention policies as regulations change
● Audit to confirm that compliance is achieved.
● Maintain compliance for new data in the environment, new geographies, and legal retention.
Benefits of Data Lifecycle Management
Organizations gain benefits from business-centric data retention programs, including:
● Connecting business, legal, and IT priorities.
● Gaining customers’ trust that their data will be treated responsibly.
● Maintaining compliance across different kinds of data with geography laws.
● Applying consistent retention policies across the data ecosystem.
● Reducing the risk of exposure from saving data longer than needed.
● Saving storage costs by following retention policies to eliminate expired data.
● Avoiding fines for non-compliance with regulations.
● Establishing rules to save data needed for legal holds.