It’s a keeper: creating a data retention policy that fits – and works

“The AG2R La Mondiale Mutual Insurance Group (SGAM AG2R La Mondiale), responsible for coordinating the group’s provident, dependency, health, savings, and supplementary pension insurance activities, was keeping data on millions of people for an excessive period of time and was not complying with its information obligations in the context of telephone canvassing campaigns,” found French data protection watchdog CNIL last year, following an audit carried out at one of the largest insurers nationwide.

This negligence cost the mutual insurance group a hefty €1,750,000 for violating two articles of the EU’s General Data Protection Regulation (GDPR). Not only had the company stored the data of over 2 million customers, including health information and bank account details, well beyond the retention period allowed after the end of their contract, but the script used by its call center agents had also failed to inform callers of AG2R La Mondiale’s privacy policy, the recording of their personal data and their right to object.

The French insurer was only the latest in a line of companies to get into trouble for not having the right data retention policies and practices in place.

In 2019, real estate company Deutsche Wohnen SE became the first in Germany to be hit with a multi-million-euro penalty by local data protection authority BBDI for its lack of GDPR-compliant data retention and deletion procedures for tenants’ personal data. The same year, the Danish data protection agency fined furniture manufacturer IDdesign approx. €200,000 for failing to delete the personal information and purchase history of some 385,000 customers after switching to a new ERP system. While it seems that the company may not have to pay the fine due to legal technicalities, the fact they broke the rules is clear.

So how long should data be retained? What legal requirements apply to a record retention policy? And who should be involved in the development process? This week, we’re taking a deep dive into the dos, don’ts, and do-betters of data retention policies, from what to include to how to make them stick.

What is a data retention policy – and what should it cover?

A pillar of an organization’s overall data management strategy, a data retention policy or record retention policy, is an established protocol for keeping information for operational or regulatory compliance reasons and deleting it once it’s no longer required. In the simplest of terms, according to TechTarget, a data retention policy must answer two key questions: how you organize information so it can be searched and accessed and how you go about disposing of it past its retention period.

As for its scope, data retention entails the clarification of what data needs to be archived or stored, where this data should go, and for how long, plus who’s responsible for categorizing and managing this data. “An effective record retention policy ensures that data is available for its intended applications, stored in a cost-effective way across its entire life cycle, and properly destroyed when it is no longer needed,” explains Chaos Search’s Dave Armlin.

Beyond compliance: why have a data retention policy in place

Let’s get the most obvious thing out of the way: most businesses are required to have a data retention policy by law – or a patchwork of laws, depending on where they and their customers are located and what industry they operate in.

The EU law on data protection and privacy, the GDPR, applies both to businesses that operate within the EU and those who offer goods or services to customers in the EU, requiring them to keep data “for no longer than necessary for the purposes for which the personal data are processed.” On the other side of the world, the US’s California Consumer Privacy Act, or CCPA, has so far only required companies to disclose what types of personal information they collect, how it is obtained and used, and whether it’s sold or shared, PwC points out. Under the new California Privacy Rights Act (CPRA), which goes into effect on January 1, 2023, they will also be obliged to disclose how long they keep different types of personal information or, if that’s not possible, the criteria used to define retention periods.

Examples of industry-specific data retention regulations include the Family Educational Rights and Privacy Act (FERPA), stipulating that student records should only be kept for six years after the student is no longer active, or the Health Insurance Portability and Accountability Act (HIPAA), which prescribes that HIPAA-covered entities hold on to policies and procedures relating to HIPAA compliance for at least six years from creation date or last effective date. PCI DSS, short for the Payment Card Industry Data Security Standard, sets forth that all entities that store, process, or transmit cardholder data must destroy information that’s no longer needed. The Bank Secrecy Act, or BSA, specifically requires US financial institutions to keep financial records for five years.

But data retention is – or should be – more than just a compliance concern. According to ICO, the UK’s independent body set up to uphold information rights, “Ensuring that you erase or anonymize personal data when you no longer need it will reduce the risk that it becomes irrelevant, excessive, inaccurate or out of date. Apart from helping you to comply with the data minimization and accuracy principles, this also reduces the risk that you will use such data in error – to the detriment of all concerned.” Data doesn’t exactly age like fine wine: the older it gets, the more likely it is to drag down network speed and reliability and increase storage costs, cybersecurity, and legal exposure, and the risk of misuse or mistake instead of business value.

To keep or not to keep: the most common data retention challenges

Finding and keeping track of unstructured data is a key hurdle to proper data management, data retention and disposal included. “Arguably the biggest quantity of data in a system, un-modelled and un-defined type of data is found everywhere and could end up challenging to monitor,” EY believes. “There is no way to be certain of the location of unstructured data at any given point of time without the help of common tools such as process identification or data-flow mapping.” To make things harder, structured data accumulating in gigantic databases can also be a pain to retrieve.

“Over the past decade, data lakes have surged in popularity amongst data scientists looking to experiment with advanced analytics,” explains Cyber Security Hub’s Elizabeth Mixson. “However, if not properly maintained, data swaps can easily devolve into data swamps whereby the system is flooded with irrelevant, unusable data.” And they can wreak havoc on an organization’s data management efforts in more ways than one. No matter how well-kept, data lakes are vulnerable to false data injection and malware obfuscation, making it easier to meddle with file objects without a trace.

While most businesses have already mastered the art of data keeping, the same can’t be said for data deletion. In a 2020 survey jointly conducted by Deloitte and data erasure and mobile device diagnostics solutions provider Blancco, 80% of respondents said they had a data retention policy in place, but only one out of three of them provided data to the business process owners for final disposition. Data rarely gets reclassified and anonymized in practice, with only 30 percent of companies making use of automated erasure solutions.

Data retention policy best practices: from brainstorming to implementation

Data retention needs and objectives come in all shapes and sizes – but here’s a list of expert tips any data retention strategy can benefit from.

1. Make it a team effort

Developing an organizational data retention policy should not be a solo show. Or an umpteenth entry on the legal department’s to-do list. Set up a diverse team of contributors with different expertise and experience levels, from IT admins to accounting managers, to make sure that all stakeholders are covered, aspects understood, and ideas discussed when drafting the policy.

2. Understand both business and regulatory demands

Is your business subject to GDPR or PCI DSS? Both? In close cooperation with your in-house and external legal and compliance experts, map out which locale- and industry-specific as well as trade, tax, or employment laws apply to you – and don’t stop there. Be mindful of potential contractual and business needs that might affect data retention requirements.

3. See your data for what it is

Not all data is created equal. More specifically, not every piece of information collected should be kept, and not all information kept should be stored for the same period of time, CIO Insight’s Lansford Roberts advises. Know and classify what type of data your organization collects and should retain to make your policy effective, compliant, and cost-efficient.

4. Get your retention periods right

Under GDPR, data retention periods can be defined by the organizations themselves, based on whatever grounds they see fit – as long as timeframes are documented and justified. Meaning that you can’t hold on to personal data “just in case.” But you can decide to keep a customer’s relevant personal data even after your relationship has ended to defend a potential legal claim.

5. Backup vs. archive: know the difference

Archiving is the process of moving data that is no longer actively used to a separate storage space for long-term retention, including data that the organization might need for future reference or for regulatory compliance. A word to the wise: archived data should not be treated as backup data, which is a disaster recovery, not a space management function.

6. Delete, delete, delete (for real)

At the end of its lifecycle, data that is no longer in use or past its retention period should be deleted or anonymized. In the case of deletion, all copies of the data should be removed from both live and backup systems, servers, and databases. When anonymized, data is stripped of all references to the original data subject in a way that their identity can’t be recovered.

7. Keep it clear and simple

What’s better than one data retention policy? You’ve guessed it. Once you’re done writing a formal document to meet regulatory mandates, TechTarget suggests, it’s a good idea to write a second version for staff and customers. One that’s written in simple, jargon-free language that makes the policy easier to understand – and adhere to – for a wider audience.

Keep your files and archives safe and organized with Tresorit’s end-to-end encrypted online storage and backup solution. See how we’ve helped a Nobel Peace Prize nominee humanitarian organization find a secure place to store HIPAA-protected, sensitive medical information.