A data retention policy is the first step in helping protect
an organization’s data and avoid financial, civil and criminal penalties that
increasingly accompany poor data management practices. Local, state, federal
and international laws and industry regulations not only specify the types of
data organizations and businesses must retain, legislation and industry
guidelines also dictate how long specific types of data must be maintained and
even the manner in which the data is to be stored. But legal considerations
aren’t the only reason to develop and implement strong data retention
practices.

Data retention policies

Data retention policies form an important foundation for
helping manage an organization’s data. In addition to paper documentation,
corporations increasingly are creating and relying upon large streams of
electronic information that often aren’t cataloged or stored in traditional
filing systems. Capturing customer correspondence, accounting records,
financial and sales data, electronic communications and other digital business
information is critical in helping ensure organization’s not only remain in
compliance with legislative requirements and industry regulations, but also
that organization’s possess sufficient data backups necessary for recovering
from catastrophes. Without strong data retention policies, organizations may
find it impossible to resume operations following a disaster.

Developing an effective data retention policy requires
dedicated research and the assistance of a qualified legal representative. The
varied and bewildering number of local, state, federal and international laws,
combined with numerous industry restrictions, essentially requires that you
work closely with legal counsel to ensure compliance with all laws, regulations
and requirements applicable to your organization. For example, the Health
Insurance Portability and Accounting Act of 1996 (HIPAA), the
Gramm-Leach-Bliley Act of 1999, the Sarbanes-Oxley Act of 2002 and Securities
and Exchange Commission rules 17a-3 and 17a-4 all place restrictions on the
manner in which data is retained.

Whether you’re responsible for fulfilling information
technology responsibilities for a publicly traded company, a nonprofit, an
educational institution, a medical facility, a financial services firm, a small
business, a private partnership or even a franchise operation, a number of data
retention restrictions likely apply to your business. From customer and client
data to patient records, organizations face an increasing number of data
retention requirements. The following are the types of information, records and
data that should be covered by every organization’s data retention policy:

  • Electronic
    communications
  • Business,
    client, agent and supplier correspondence
  • Documents
  • Spreadsheets
  • Databases
  • Customer
    records
  • Employee
    records
  • Supplier
    and partner information
  • Transactional
    data
  • Contracts
  • Sales,
    invoice and billing information
  • Accounting,
    banking, finance, earnings and tax data
  • Health
    care, medical and patient information
  • Student
    and educational data
  • Other
    data produced and collected in fulfilling business activities

All data retention policies should describe the types of
data the organization must retain, the length of time the data should be stored
and the format in which such data should be stored. Easily overlooked, another
element data retention policies should cover is instructions describing which
organization representatives are authorized to delete data. In addition, data
retention policies should state that a specific information technology staff
member should be responsible for confirming all organization data is properly
destroyed before disposing of organization equipment.

The policy should clearly describe those individuals and
employees covered by the policy, as well as the procedures that are to be
followed in the event of a breach. Effective data retention policies must also
describe the penalties that result from violations and require all covered
parties to sign documentation attesting they understand the policy and pledge
to uphold its tenets.

Policies must also state clearly that no organization
officer, employee or other representative is to modify, delete or destroy any
data in violation of local, state, federal, international or industry
regulation.

Once such policies are drafted, implemented and signed, an
organization’s work is just beginning. Information technology departments must
lead the effort of policing the policy. Only policies that are actively
monitored and enforced prove successful.

Just implementing a policy doesn’t ensure an organization’s
data retention practices change. Instead, the organization must work to ensure
new routines, practices and systems are adopted to make proper data retention
procedures habitual as opposed to exceptional.

Add the following blurb highlighted at the end including a link to 6071339

You can quickly implement a data retention policy in your organization by
downloading TechRepublic’s Data Retention Policy. Included you’ll find a
risk assessment spreadsheet that will help you determine the importance
of such a policy to your organization’s security along with a basic
policy that you can use and modify. You can purchase it from the
TechRepublic Catalog or download it for free as part of your
TechRepublic Pro membership.