Build an Effective Data Retention Program

Treat the data risks that will derail your retention schedule

Analyst Perspective

Overcome retention challenges by identifying and treating high-risk data types.

Data retention is a challenge for many organizations. Ideally, we would be able to fully automate our retention and deletion of records and never think about it again. But even organizations that do data retention well are often forced to use some semi-automated or manual processes to adhere to their retention schedules. In other words, there is no perfect solution to resolve data-retention challenges once and for all.

However, by identifying the data types and processes which are most prone to failure (i.e. those that cannot be fully automated), we can explore options to reduce that risk as much as possible and make those remaining manual and semi-automated processes more manageable. By prioritizing our high-risk data flows, we will be able to work more efficiently and determine which data repositories need the most oversight.

	Logan Rohde Senior Research Analyst, Security Info-Tech Research Group
	Alan Tang Principal Research Director, Security Info-Tech Research Group
	Isabelle Hertanto Principal Research Director, Security Info-Tech Research Group

Build an Effective Data Retention Program

Treat the data risks that will derail your retention schedule

EXECUTIVE BRIEF

Executive Summary

Info-Tech Insight

Focus your efforts on data with the highest risk levels, and work towards implementing an automated process. Manual efforts will always carry the most risk.

Common obstacles

These barriers make this challenge difficult to address for many organizations:

• Lack of visibility into data flows
• No established system to classify data by type and sensitivity
• Need to satisfy multiple (conflicting) regulations
• No way to determine the retention-related risk of data repositories
• Administrative overhead in managing a manual data-deletion process

Organizations must manage impossibly high volumes of data dispersed across multiple internal and external repositories, making it difficult to maintain visibility and control over data flows and retention obligations.

42.5% — Annual increase in data volume for organizations.

70% — Percentage of data distributed across edge and cloud repositories. (Source: Seagate, 2020)

Info-Tech’s methodology to build an effective data retention program

The greatest risks will be in data repositories without automation

Prioritize the riskiest data

Focus your efforts on data with the highest risk levels, and work towards implementing an automated process; manual efforts will always carry the most risk.

Link retention to governance

Successful data retention is closely linked with security governance, compliance, and data classification. Without these guardrails, most organizations struggle to establish a reliable data retention schedule.

Retention schedules do not delete data on their own

A retention schedule is necessary, but having one won’t ensure retention-related risks are managed effectively. Rather, the key lies in identifying risky data processes, types, and repositories, and finding solutions to lower those risks.

Not everything is automatable

Some manual deletion should be expected. Very few retention programs run on automation alone. Manual deletion is manageable provided we have a plan to deal with it.

Two kinds of regulation

Identify conflicts in your obligations. Some regulations and laws dictate that data must be retained, while others demand that data be deleted once it is no longer in active use. You may have to make a judgment call regarding the most appropriate retention period. This should be done in conjunction with your legal counsel.

Find your data’s first instance

Establish a single source of truth for your data. This will allow you to go to the source and delete the first instance of the data (as per your retention schedule), and then plan to purge the secondary, tertiary, etc. instances on a regular basis.

Blueprint benefits

Measure the value of this blueprint

Info-Tech Project Value

Info-Tech offers various levels of support to best suit your needs

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 4 to 8 calls over the course of 1 to 3 months.

What does a typical GI on this topic look like?

Build an Effective Data Retention Program

Phase 1

Set your governance requirements

This phase will walk you through the following activities:

• Identify and document data retention laws and regulations
• Identify data types and sensitive data
• Identify data repositories
• Develop a data retention policy
• Determine roles and responsibilities

Outcomes of this phase

• Awareness of applicable laws and regulations
• Understanding of the relevant data classifications and data types
• Knowledge of all data repositories and locations
• Formalized data retention policy
• Consensus of individual accountabilities and responsibilities for data retention across the organization

1.1 Identify and document data retention laws and regulations

Input: Ask participants to identify and document applicable data retention laws and regulations. Identify relevant retention requirements from the laws and regulations.

Output: Documented list of data retention laws, regulations and relevant requirements

Materials: Whiteboard/flip charts, Sticky notes, Pen/marker

Participants: IT representative, Security officer, Privacy officer, Legal counsel, Senior management team (optional), Business representative (optional)

1. Bring together relevant stakeholders from the organization. This can include those mentioned in the participants list.
2. Identify applicable laws and regulations.
3. Identify articles that set forth data retention requirements.
4. Identify data types that are regulated by the laws.
5. Identify the specific data retention requirements.
6. Document all the information above in the table below.

Data retention laws and regulations

• Determine which laws or regulations you are currently subject to or will be obligated to comply with in the future. If you are not subject to anything now, align your target-state compliance objectives with the most restrictive regulation currently in place. This will set you up to handle any new laws passed in your jurisdiction.
• Consider planned expansion into new markets and how data sovereignty or data residency laws influence data retention rules.
• Review your privacy program to identify the laws or regulations that dictate how data containing personally identifiable information (PII) should be retained or deleted.

Info-Tech Insight

Beware of conflicts in your obligations. Some regulations and laws dictate that data must be retained, while others demand that data be deleted once it is no longer in active use. You may have to make a judgment call regarding what the right retention period is. This should be done in conjunction with your legal counsel.

Examples of laws that set forth requirements for data retention

An organization must not retain personal information for a period longer than necessary to fulfil the purposes described in the notice or to comply with applicable laws.

1.2 Identify data types and sensitive data

1 hour

Input: Ask participants to identify data types within the organization. Ask participants to identify personal data. Ask participants to document data sensitivity and classification level (optional).

Output: Documented data types, personal data, data sensitivity and classification level (optional)

Materials: Whiteboard/flip charts, Sticky notes, Pen/marker

Participants: IT representative, Security officer, Privacy officer, Legal counsel, Senior management team (optional), Business representative (optional)

1. Bring together relevant stakeholders from the organization. This can include those mentioned in the participants list.
2. Identify and document data types within the organization.
3. Identify and document types of personal data.
4. Identify and document data sensitivity and classification level (optional).
5. Document all the information above in the Data Retention Schedule and Risk Identification Tool.

Download the Data Retention Schedule and Risk Identification Tool

Data types and sensitive data

• Identifying data types will help you organize your data in groups for which general retention periods can be determined, allowing you to deal with larger chunks of data rather than individual records. These groups should be formed based on similarity of content and policy requirements (e.g. the data must be held for the minimum period).
• Data sensitivity will factor into decisions around how long a given data type should be retained, as well as the level of protection it will need while it is retained. Remember, certain types of data, like intellectual property, will need to be retained indefinitely. But these data types are also highly sensitive and will always require a higher degree of protection.
• Personal data retention is an integral part of the overall data retention program.
• Draw from your data classification scheme and use your predefined record types and data sensitivity levels to set retention requirements for the retention schedule.
• Draw from your information security and privacy programs to help you quickly identify PII and other risky data more quickly.

Info-Tech Insight

Mistakes do happen. Be sure to review the records within each data type to ensure no important legal or regulatory stipulations will interfere with your plans to treat all this data the same.

Personal data retention is part of the overall data retention program