Today’s organizations describe their data retention policy as a key element in their data privacy strategy. Industry sectors, whether healthcare, financial services, insurance, government, retail, telecommunications, or education, are valuable information assets that malicious hackers can – and will – steal given the opportunity.
With exponential growth in data collection by various organizations and industries, It is not surprising that creating, monitoring and enforcing a strict data retention policy is vital. However, because of digital acceleration, the changing threat landscape, and increasing global privacy laws and regulations, it can be a vertical challenge for any organization to know which data they need to retain and for how long.
Here we look at best practices of data retention and how following them can help your organization achieve and enforce a more compliant and controlled data retention policy that integrates into your corporate business strategy.
Data Retention Schedule Explained?
A data retention schedule should contain the following elements
- Company function
- Data Category
- Data Sub-category
- The statutory minimum period for retention
- Date from which the retention period begins
- The law reference and the statutory minimum period
- Company Justified retention period
Once the schedule is complete, a stakeholder must be identified within each function, and the function team is trained on the policy and how to execute it. Reference to the retention period should be included in the register of processing activities (ROPA)
This is why, when following best practices for data retention, companies should obtain the correct regulatory retention periods from regulatory compliance specialists to determine which legal requirements for data retention apply to their organization.
Remember, the statutory periods are the minimum, and companies can add periods to the minimum if they can justify it.
Due to changes in the law, the schedule should be reviewed at least once per year or the enactment of law between reviews. An audit of both physical and digital assets should be carried out on an annual basis.
Classifying the company data is a best practice for data retention because data is never a one size fits all exercise that requires the same retention period. Many record frameworks and legal legislations have specific requirements that encourage organizations to embrace data classification.
Execute The Data Deletion Process
Many organizations fail to execute the data deletion period due to the belief by employees and stakeholders that retaining data longer than the statutory period in case there is a possibility of needing it in the future. However, this reasoning could not be further from the truth. In fact, if you fail to execute the data deletion process, you are putting the company at risk of
- Increase the chance of a serious data breach or security incident
- Putting customer and employee data at greater risk of being breached
- Increase the chance of a large data authority fine under the jurisdiction data
If your company collects, stores, or transfers data, now is the ideal time to re-evaluate your data retention policy. To learn more about implementing best practices for data retention or to seek help in implementing a data retention schedule or framework, click here.