A data retention policy is the first step in helping protect an organization's data and avoid financial, civil and criminal penalties that increasingly accompany poor data management practices. Local, state, federal and international laws and industry regulations not only specify the types of data organizations and businesses must retain, legislation and industry guidelines also dictate how long specific types of data must be maintained and even the manner in which the data is to be stored. But legal considerations aren't the only reason to develop and implement strong data retention practices.
Data retention policies
Data retention policies form an important foundation for helping manage an organization's data. In addition to paper documentation, corporations increasingly are creating and relying upon large streams of electronic information that often aren't cataloged or stored in traditional filing systems. Capturing customer correspondence, accounting records, financial and sales data, electronic communications and other digital business information is critical in helping ensure organization's not only remain in compliance with legislative requirements and industry regulations, but also that organization's possess sufficient data backups necessary for recovering from catastrophes. Without strong data retention policies, organizations may find it impossible to resume operations following a disaster.
Developing an effective data retention policy requires dedicated research and the assistance of a qualified legal representative. The varied and bewildering number of local, state, federal and international laws, combined with numerous industry restrictions, essentially requires that you work closely with legal counsel to ensure compliance with all laws, regulations and requirements applicable to your organization. For example, the Health Insurance Portability and Accounting Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act of 1999, the Sarbanes-Oxley Act of 2002 and Securities and Exchange Commission rules 17a-3 and 17a-4 all place restrictions on the manner in which data is retained.
Whether you're responsible for fulfilling information technology responsibilities for a publicly traded company, a nonprofit, an educational institution, a medical facility, a financial services firm, a small business, a private partnership or even a franchise operation, a number of data retention restrictions likely apply to your business. From customer and client data to patient records, organizations face an increasing number of data retention requirements. The following are the types of information, records and data that should be covered by every organization's data retention policy:
- Electronic communications
- Business, client, agent and supplier correspondence
- Customer records
- Employee records
- Supplier and partner information
- Transactional data
- Sales, invoice and billing information
- Accounting, banking, finance, earnings and tax data
- Health care, medical and patient information
- Student and educational data
- Other data produced and collected in fulfilling business activities
All data retention policies should describe the types of data the organization must retain, the length of time the data should be stored and the format in which such data should be stored. Easily overlooked, another element data retention policies should cover is instructions describing which organization representatives are authorized to delete data. In addition, data retention policies should state that a specific information technology staff member should be responsible for confirming all organization data is properly destroyed before disposing of organization equipment.
The policy should clearly describe those individuals and employees covered by the policy, as well as the procedures that are to be followed in the event of a breach. Effective data retention policies must also describe the penalties that result from violations and require all covered parties to sign documentation attesting they understand the policy and pledge to uphold its tenets.
Policies must also state clearly that no organization officer, employee or other representative is to modify, delete or destroy any data in violation of local, state, federal, international or industry regulation.
Once such policies are drafted, implemented and signed, an organization's work is just beginning. Information technology departments must lead the effort of policing the policy. Only policies that are actively monitored and enforced prove successful.
Just implementing a policy doesn't ensure an organization's data retention practices change. Instead, the organization must work to ensure new routines, practices and systems are adopted to make proper data retention procedures habitual as opposed to exceptional.
Add the following blurb highlighted at the end including a link to 6071339 You can quickly implement a data retention policy in your organization by downloading TechRepublic's Data Retention Policy. Included you'll find a risk assessment spreadsheet that will help you determine the importance of such a policy to your organization's security along with a basic policy that you can use and modify. You can purchase it from the TechRepublic Catalog or download it for free as part of your TechRepublic Pro membership.