Your business data is the lifeblood of your organization. Its transmittal governs how you conduct business, its security helps establish stakeholder confidence, and its analysis helps improve processes. Yet data retention is something that’s often overlooked.
Corporate data storage and retention policies found not to be in line with accepted auditing standards and regulatory requirements can be punished by fines, executive accountability, and possible litigation.
Why Do You Need a Data Retention Policy?
- Liability Protection – A data retention policy is a key step in managing and protecting an organization’s important data to avoid any civil, criminal and financial penalties that sometimes result from poor data management practices.
- Regulatory Compliance – Local, state, federal and international policies, rules, statutes and laws, as well as industry-imposed regulations, specify the types of data that businesses must retain. Additionally, these bodies set the length of time that specific types of data must be retained and maintained, along with the way in which that data is stored.
- Keep Retained Data Updated – Regularly reviewing your data retention policy allows you to clean house and remove duplicated and outdated files to avoid confusion and expedite any necessary searches.
- Save on Storage Space – If you store your own data, you can always use the extra storage space to make room for new files. Alternatively, if you have moved your data to a cloud storage provider, you can help keep costs lower by cleaning up your data before migration or while already in cloud storage if you discover duplicates.
Data Retention Regulations
One year is a commonly agreed upon standard for long retention, meeting most regulations. Depending upon the industry in which you operate, however, there are a number of established standards regarding the retention of business data. Those policies and their respective data retention standards are listed below.
FISMA Data Retention Requirements – 3 Years
Archiving practices are an important measure in fully complying with FISMA regulations. It requires data retention for a minimum of three years.
ISO 27001 Data Retention Requirements – 3 years
The ISO 27001 compliance framework requires organizations to retain data logs for a minimum of three years. It’s an important step to manage and secure sensitive data and avoid penalties that may arise from poor data handling.
NERC Data Retention Requirements – 3 to 6 Years
In 2011, the Compliance Monitoring and Enforcement Program (CMEP) clarified National Energy Commission (NERC) Rules of Procedure related to data retention requirements. It instructs entities keep data needed to demonstrate compliance with NERC Reliability Standards for an entire compliance verification period. Meaning that they must retain the current, in-force version of a policy, plan procedure, or other document for the entire three to six-year auditing period.
Basel II Data Retention Requirements – 3 to 7 Years
SOX Retention Requirements – 7 Years
Sarbanes-Oxley Act of 2002 (SOX) was modified in 2003 to require relevant auditing and review documents to be retained for seven years after the audit or review of the financial statements is concluded.
HIPAA Data Retention Requirements – 6 Years
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entitles to keep HIPAA-related documents for a minimum of 6 years from when the document was created. In the case of policies, the time requirement is six years from the date it was last in effect. This applies to “policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment,” CFR §164.316(b)(1) and (2) and include HIPAA audit logs.
The Privacy Rule doesn’t specifically stipulate how long medical records should be retained. Covered entities and BAs must refer to their state laws governing the retention of medical records.
NISPOM Data Retention Requirements – 6 to 12 Months
According to the National Industrial Security Program Operating Manual (NISPOM), contractors should return data upon completion of the contract unless the material has been declassified. At maximum, classified material received or generated under a contract can be retained for 2 years unless directed otherwise. Classified information no longer needed should be processed for disposal.
PCI Data Retention Requirements – Variable
Organizations that fall under the Payment Card Industry Data Security Standard (PCI-DSS) are allowed to set their own requirements at the corporate level, yet are also required to submit annual statements for audit.
NIST Data Retention Requirements – Undefined
While NIST outlines fundamental security requirements, it does not directly specify the duration for retaining logs. As a result, it is advisable for contractors to adhere to the requirements dictated by their respective agencies as part of best practices.
SOC 2 Data Retention Requirements – Undefined
Although SOC 2 compliance does not specifically mandate data retention periods, it does require organizations to manage data retention for certain types of information properly. Criteria related to confidentiality and privacy (P4.2) necessitate the consideration of data retention. According to the AICPA 2017 Trust Service Criteria, organizations must have procedures in place to:
- Identify and designate confidential information and determine its retention period.
- Protect confidential information from erasure or destruction during the specified retention period.
- Identify confidential information requiring destruction when the retention period ends.
- Erase or destroy the identified confidential information.
- Retain personal information only as long as necessary to fulfill the stated purposes (unless required otherwise by law or regulation).
- Protect personal information from erasure or destruction during its specified retention period.
To support these criteria in their SOC 2 report, organizations need to demonstrate they have established processes and procedures for classifying, retaining, and deleting confidential and/or personal information.
How to Create a Data Retention Policy
Whether you’re a federal agency that falls under FISMA or a financial institution that models your policies after GLBA and/or Basel II guidelines, standards experts agree that you should continually assess your data retention policy. Review should consider the potential for an external audit of that policy, internal controls that mandate the deletion of data over time, and your need to expand your archival capacity and storage infrastructure.
An organization’s data retention policy defines how long data should be stored and managed and how to dispose of it when it is no longer needed. Typically, a data retention policy should include the following:
- Which data needs to be retained,
- How the data should be stored,
- How long to store the data,
- Who should authorize data disposal,
- Method of data disposal (archival or deletion),
- Estimate long-term data management costs.
Data Retention Best Practices
Increasingly, organizations are turning to security information and event management (SIEM) software programs to handle the archiving of their data. SIEM products typically operate on at least two servers; one analyzes information recorded in data logs, the other stores it.
While there are no set standards regarding the structure of SIEM systems, almost all SIEM products are designed with the same purposes: to protect the integrity, confidentiality and availability of business data. Thus, they offer a number of unique benefits over other data storage solutions. Advantages include supporting multiple data sources (i.e., operating systems, application servers, and security software), incident tracking and reporting capabilities, and graphical user interfaces designed to query archived data related to a particular problem or issue.
Given the value that your business data has both now, and in the future, combined with the potential penalties for non-compliance with data retention standards, you really can’t afford not to monitor long-term storage. At the same time, you don’t want to stress the limits of your network infrastructure by continuing to store irrelevant and obsolete information.
Carry out diligent groundwork before creating the policy.
You need to understand the legal and regulatory requirements, legal obligations, business context, and organizational culture to define the objectives of the data retention policy. A few regulatory bodies and acts that determine certain data retention durations and the conditions of data removal include:
- The Health Insurance Portability and Accountability Act (HIPAA) is related to the healthcare industry and applies to healthcare organizations and any business that works with those organizations.
- The Sarbanes-Oxley Act (SOX) has its own provisions related to the financial industry.
- The Internal Revenue Service (IRS) applies to every type of business in any location of the United States.
- The Children’s Online Privacy Protection Act (COPPA) is another act that applies to all businesses in the United States.
- The EU’s General Data Protection Regulation (GDPR) applies to any company that does business with a resident of one of the 28 EU’s 28 member states.
This step alone is why it is essential to make sure your data retention policy development team includes a legal expert and your accounting team to thoroughly research any relevant laws, policies, and regulations germane to your industry and location.
Involve the right people in policy creation.
Since enforcing the data retention policy requires participation from all stakeholders, involving them during the policy creation stage makes sense. Also, taking inputs from multiple important sources, such as the legal counsel, accounting & finance teams, department heads, etc., will help you create a comprehensive data retention policy. Not only do you want to include your legal team and accounting professionals, but you also want to make sure you include diverse voices within your company who may also hold a stake in the various data in your system. While your instinct may default to “delete,” your accounting manager may hold valid—if not critically important—reasons for retaining certain records.
Key team members to add to your data retention policy development team include:
- Staff members responsible for data retention settings
- In-house legal counsel
- Departmental managers and supervisors
- Anyone who receives and manages financial reports
- Anyone who
Take into account multiple departments or different types of data.
If your organization has multiple departments, your data retention policy should consider all departments while defining a data retention schedule. The same goes for multiple types of data. It might not be possible to have the same data retention schedule for all data across all departments. Here, it might be helpful to create different policies for different departments or for different types of data.
Define the data covered by the policy.
Regardless of your industry or location, there are some general types of data that you must include within your data retention policy, including:
- Emails and other electronic documents
- Customer records
- Transactional information
- Correspondence between staff and clients, agents, vendors, shareholders and the public
- Supplier and partner data
- Employee records
- Customer records
- Sales, invoice, and billing information
- Tax and accounting documentation
- Financial reports
- Healthcare and patient data
- Student and educational data
- Any other data produced, collected, and maintained in the fulfillment of regular business activities
Avoid holding on to data longer than required.
In order to avoid deleting crucial data, it might be tempting to hold on to the data. But having too much data will slow down your systems. Also, the more data you have, the more your risk of a data breach will be.
Make the data retention policy transparent.
Stakeholders such as customers and subscribers should be informed of your data retention policy when they choose to share their information with you. Where possible, they should also have some control over how their data is stored and retained.
Ensure all employees understand the company’s data retention policy.
Beta News reported the results of a Harris Poll that indicated that 63% of employees do not believe their companies have email retention policies. Further, if the employees did know that the company had data retention policies, they weren’t aware of what they were. You do not want this scenario for your organization.
You definitely want to keep your employees in the loop when it comes to data retention. You may find it helpful to invite a few employee ambassadors to join occasional data retention policy meetings while you and the rest of the team develop the policy so they can gain a deeper understanding for the reasons for various aspects of the policy.
Professional Guidance Is Available
I.S. Partners, LLC can help your company to find a happy medium. Our advanced knowledge of both corporate and governmental auditing standards can assist in identifying the data retention requirements that apply to your organization. We ensure that your data retention policy is both relevant to your industry and effective for successful external audits. Contact our team to learn more.