3 Data Retention Best Practices

by Sarah Harvey / May 27th, 2019

Today’s organizations rely on data to fuel their business processes. Whether it’s the healthcare, financial services, hospitality, federal government, retail, telecommunications, or education industries, there’s sensitive assets that malicious hackers can – and will – steal.

With the growing amount of data collected by various organizations and industries, it’s no wonder why creating and enforcing a robust data retention policy is necessary. However, because of the rapidly changing threat landscape and new data privacy laws and regulations, it can be tricky for organizations to know what data they need to retain and for how long.

Let’s take a look at some data retention best practices and how following them can help your organization establish and enforce a more compliant and useful data retention policy suitable for your organization’s needs.

What is a Data Retention Policy?

A data retention policy is documentation that your organization has created to stipulate when data no longer serves its purpose and should be deleted, or if the data retention period has been met. Implementing a data retention policy begins by knowing what kinds of data your organization holds and then classifying that data.

Data Retention Policies are critical to ensuring all local and federal regulations and retention schedules are being met. This includes retaining data and records for the specified period of time, and also prompt deleting or destroying records once the retention policy is up.

What are Best Practices for a Data Retention and Purging Policy?

1: Identify and classify the data your organization holds

Implementing a robust data retention policy begins by knowing what kinds of data your organization holds and then classifying that data. For healthcare companies, this could be PHI such as patient names, dates of birth, Social Security numbers, medical data, and histories, or prescription information. For financial services organizations, this could be CHD, PINs, credit scores, payment history or loan information.

Classifying data is a best practice for data retention because not all data requires the same retention.  Recognizing this, many frameworks and legal regulations have specific requirements that encourage organizations to classify data. For example, the 2017 SOC 2 Trust Services Criteria requires that service organizations who include the confidentiality category in their audit demonstrate that they identify and maintain confidential information to meet the entity’s objectives related to confidentiality.

For GDPR compliance, organizations that handle the personal data of EU data subjects must classify the types of data they collect in order to comply with the law. Additionally, GDPR categories certain data – race, ethnic origin, political opinions, biometric data, and health data – as “special” and therefore subject to additional protection.  This not only means that organizations need to know what types of data they hold, but they also need to be able to label that data such as public, proprietary, or confidential.

2: Know which legal requirements apply to you

Within the last few years, there’s been a renewed focus placed on data privacy, leading to an increase in new, complex data privacy laws and regulations across the globe that generally include data retention standards. In addition to the mix of regulatory frameworks organizations are already tasked with complying with, organizations may also have contractual and business needs that dictate data retention schedules.

For instance, if an organization has to comply with the data retention standards for GDPR and the PCI DSS, how do they know which data retention requirement to follow if there is a conflict or difference between the two requirements?

This is why when following best practices for data retention, organizations should consult with either internal or external regulatory compliance specialists to determine which legal requirements for data retention apply to their organization.

Best Practices for Data Retention: a cheat sheet for PCI, GDPR, CCPA, HIPAA, FERPA, GBLA, & More

3: Delete data once it is no longer required or after the data retention period has been met

This is a critical best practice for data retention that many organizations fail to follow because they believe that holding onto data longer than required could be more secure than deleting it and needing it later. However, this misconception couldn’t be further from the truth.

Holding onto data longer than required by law or longer than needed for use can have various ramifications, including but not limited to:

  • Increasing chances of experiencing a data breach or security incident
  • Placing client data at greater risk for being breached
  • Contributing to cluttered hardware and/or software, making it difficult to find data that’s actually needed
  • Expanding the regulatory compliance burden related to data access

Ultimately, in order for an organization to implement an effective data retention policy, data that no longer serves a purpose to the organization or data that has been held for the required retention period should be deleted.

If your organization collects, stores, or transmits data, it might be time to re-evaluate your data retention policy. To learn more about how you can follow and implement these best practices for data retention or find out how KirkpatrickPrice can help you ensure compliance with data retention requirements, contact us today.

More Data Privacy Resources

Privacy vs. Security: What’s the Difference?

Destroying Media When it is No Longer Needed

Are You a Data Controller or Processor?