“Data retention” is now everyone’s concern, and its scope goes far beyond what data to retain and for how long.
Not long ago, data retention programs were the province of a handful of specialists in the legal and compliance departments. Organizations knew they had to retain certain documents for a specified number of years to meet legal and regulatory obligations and that was about it.
The situation is completely different today. New legal and business requirements mean that a cross-functional team is needed to create and enforce data retention policies. The CIO and CISO must help align data retention policies with organizationwide initiatives.
Many large enterprises are appointing a full-time or part- time Data Protection Officer (DPO) to comply with the EU’s General Data Protection Regulation (GDPR).
Why the dramatic change? Driving factors include:
- The rising tide of legal and regulatory requirements for preserving documents and files of many kinds.
- The growing awareness that data retention is a cybersecurity issue—that erasing data no longer needed by the business reduces the likelihood that data can be stolen by cybercriminals and hacktivists.
- Privacy legislation and changing public expectations about privacy place choices about information retention and erasure in the hands of customers and third parties outside of the organization.
This guide is designed to help organizations wrestling with these challenges. It answers key questions about data retention policies and programs such as:
- How does the concept of “data lifecycle” help you shape data retention and protection policies?
- Why is data erasure suddenly so important, and why are so many organizations weak in this area?
- Who should be on the team to build a data retention policy and how should it be enforced?
Chapters at a Glance
Chapter 1, “Data Retention: A Critical Part of Security,” discusses the meaning of “data retention” and describes why it is a cross-functional program.
Chapter 2, “What You Need to Keep: Data Retention and Protection,” lists reasons why data needs to be retained and outlines how this data should be protected over its lifecycle.
Chapter 3, “What You Can’t Afford to Keep: Data Erasure and Privacy,” describes why and when data should be erased, as well as weaknesses in common data erasure methods.
Chapter 4, “How to Build a Data Retention Program and Enforce Policies,” discusses the content of data retention policies and how to enforce them.
Chapter 5, “Selecting the Right Partners,” provides criteria for choosing data retention and data erasure technology partners.
Data Retention: A Critical Part of Security
“Data Retention” is About Much More than What to Keep
In the good old days, most organizations had a conceptual view of data retention that was pretty simple (Figure 1-1). A limited set of electronic and hard copy documents and files had to be retained for a specified period of time (or in special cases, indefinitely).
These documents and files had to be identified, protected and monitored for the designated time period and then destroyed. Other documents and data were outside the purview of the data retention program and were handled according to the data management practices of individual employees and hundreds of different applications.
Of course, the reality was more complex and implementation could be demanding. However, most CIOs felt comfortable leaving data retention policy creation and enforcement in the hands of a few legal and compliance experts, or perhaps a consultant.
Today, a “data retention” program must be about much more than retention (Figure 1-2). As before, some documents and files must be retained and protected for specified periods. But organizations also need to think systematically about what items should be retained and which items should be erased, even when there is no absolute legal or business requirement. And today there are reasons why many more items must be erased.
Organizations also need to create policies and processes that handle documents and files appropriately as they migrate across categories. As files reach the end of required retention periods, should they be retained longer or erased immediately? For sensitive documents with no statutory retention period, how long should they be retained and when should they be erased? How should the organization handle requests from third parties like customers to delete personal information?
A data retention program also needs to ensure that intentions are carried out effectively. Are all sensitive files really destroyed beyond recovery when servers and personal computers are discarded or sold? If customers ask to be “forgotten,” is their information actually erased everywhere it has been stored?
We will be looking at these issues in Chapters 2 and 3. Organizations are taking a broader view of data retention programs because they realize the programs can have a major impact on data security and on meeting customer (and government) expectations about privacy.
From the perspective of cybersecurity, to state the matter plainly: information that has been erased can’t be stolen and sold by hackers, and can’t be used against the organization by hacktivists, hostile lawyers or anyone else. The possible business value of storing data indefinitely must be weighed against the risk of losing control over it.
Activities: Classification, Monitoring and Enforcement
Data retention programs involve several major tasks. The first set of tasks revolves around determining legal, regulatory, business and security issues and requirements, and creating policies that address them.
But there are also a range of day-to-day activities that involve classifying documents and files, monitoring their use and storage, and enforcing policies for archiving and destruction. Documenting compliance with regulations and standards is also important. We will examine these topics in Chapter 4.
Data Retention is a Team Sport
Defining data retention policies involves deciding what information must be retained (for legal, regulatory and business reasons), what information should be retained (typically for
business reasons), what information should be erased (typically because of security and risk issues) and what information must be erased (primarily for privacy and security reasons). Implementing data retention policies requires knowledge of technologies and
processes for storing, archiving and destroying data.
The wide range of knowledge and skills involved mean that data retention programs must be a team sport, with participation by legal and compliance experts, line of business managers, as well as IT and security staff. Third parties can also play an important role, for example, consultants and IT asset disposition (ITAD) firms offer tools for “erasing” data on devices you are selling or discarding.
Upper management guidance and support are also critical for the success of data retention programs, both to keep processes on track and to arbitrate the inevitable conflicts between wanting to save data “just in case,” and to destroy it to minimize the impact of possible data breaches. Some organizations appoint a Data Protection Officer (DPO) to provide these management functions.