- New legal and business requirements mean that a cross-functional team is needed to create and enforce data retention policies.
- Many large enterprises are appointing a full-time or part- time Data Protection Officer (DPO) to comply with the EU’s General Data Protection Regulation (GDPR).
- “Data Retention” is about much more than what to keep.
“Data retention” is now everyone’s concern, and its scope goes far beyond what data to retain and for how long. Not long ago, data retention programs were the province of a handful of specialists in the legal and compliance departments. Organizations knew they had to retain certain documents for a specified number of years to meet legal and regulatory obligations and that was about it.
The situation is completely different today. New legal and business requirements mean that a cross-functional team is needed to create and enforce data retention policies. The CIO and CISO must help align data retention policies with organizationwide initiatives.
Many large enterprises are appointing a full-time or part- time Data Protection Officer (DPO) to comply with the EU’s General Data Protection Regulation (GDPR).
Why the dramatic change? Driving factors include:
- The rising tide of legal and regulatory requirements for preserving documents and files of many kinds.
- The growing awareness that data retention is a cybersecurity issue—that erasing data no longer needed by the business reduces the likelihood that data can be stolen by cybercriminals and hacktivists.
- Privacy legislation and changing public expectations about privacy place choices about information retention and erasure in the hands of customers and third parties outside of the organization.
This guide is designed to help organizations wrestling with these challenges. It answers key questions about data retention policies and programs such as:
- How does the concept of “data lifecycle” help you shape data retention and protection policies?
- Why is data erasure suddenly so important, and why are so many organizations weak in this area?
- Who should be on the team to build a data retention policy and how should it be enforced?
- Publish 2 Press Releases for $16 – Best PR Deal on the Internet?
- Publish Your Press Release on Google & Communal News for Just $11!
- Social Media Management – Business Brand Basic Package
- 401k Plans Fiduciary Review Services – 4 Hour Consult
- Build 5 Page WordPress Website for only $199
- Excel Spreadsheets & Automation VBA/Macros
- Publish 3 Press Releases for $20! – Connects with Google news, Goolge & Bing Organic Search plus Social Media Websites
- Social Media Business Boot Camp – Learn how to Leverage Social Media for Business Returns
- $12 for Google News & More Press Release – Possibly the Best PR Deal on the Internet
- Online Business Consultant: Let Us Help You Solve Your Business & Amazon Problems
Data Retention: A Critical Part of Security
“Data Retention” is About Much More than What to Keep
These documents and files had to be identified, protected and monitored for the designated time period and then destroyed. Other documents and data were outside the purview of the data retention program and were handled according to the data management practices of individual employees and hundreds of different applications. In the good old days, most organizations had a conceptual view of data retention that was pretty simple (Figure 1-1). A limited set of electronic and hard copy documents and files had to be retained for a specified period of time (or in special cases, indefinitely).
Today, a “data retention” program must be about much more than retention (Figure 1-2). As before, some documents and files must be retained and protected for specified periods. But organizations also need to think systematically about what items should be retained and which items should be erased, even when there is no absolute legal or business requirement. And today there are reasons why many more items must be erased.Of course, the reality was more complex and implementation could be demanding. However, most CIOs felt comfortable leaving data retention policy creation and enforcement in the hands of a few legal and compliance experts, or perhaps a consultant.
Organizations also need to create policies and processes that handle documents and files appropriately as they migrate across categories. As files reach the end of required retention periods, should they be retained longer or erased immediately? For sensitive documents with no statutory retention period, how long should they be retained and when should they be erased? How should the organization handle requests from third parties like customers to delete personal information?
A data retention program also needs to ensure that intentions are carried out effectively. Are all sensitive files really destroyed beyond recovery when servers and personal computers are discarded or sold? If customers ask to be “forgotten,” is their information actually erased everywhere it has been stored?
We will be looking at these issues in Chapters 2 and 3. Organizations are taking a broader view of data retention programs because they realize the programs can have a major impact on data security and on meeting customer (and government) expectations about privacy.
From the perspective of cybersecurity, to state the matter plainly: information that has been erased can’t be stolen and sold by hackers, and can’t be used against the organization by hacktivists, hostile lawyers or anyone else. The possible business value of storing data indefinitely must be weighed against the risk of losing control over it.
Activities: Classification, Monitoring and Enforcement
Data retention programs involve several major tasks. The first set of tasks revolves around determining legal, regulatory, business and security issues and requirements, and creating policies that address them.
But there are also a range of day-to-day activities that involve classifying documents and files, monitoring their use and storage, and enforcing policies for archiving and destruction. Documenting compliance with regulations and standards is also important. We will examine these topics in Chapter 4.
To Read Full Download The Whitepaper: The Ultimate Guide To Data Retention