“Data retention” is now everyone’s concern, and its scope goes far beyond what data to retain and for how long. Not long ago, data retention programs were the province of a handful of specialists. These specialists belonged to the legal and compliance departments. Organizations knew they had to retain certain documents for a specified number of years.
The situation is completely different today. The CIO and CISO must help align data retention policies with organization wide initiatives. Many large enterprises are appointing a full-time or part- time Data Protection Officer (DPO) to comply with the EU’s General Data Protection Regulation (GDPR).
Organizations need to think systematically about what items should be retained and which items should be erased. Even though when there is no absolute legal or business requirement for the same. And also, today there are reasons why many more items must be erased. Organizations also need to create policies and processes that handle documents and files appropriately as they migrate across
Organizations are taking a broader view of data retention programs. Since they have realized that the programs can have a major impact on data security and on meeting customer expectations about privacy.
Data retention programs involve several major tasks.
- The first set of tasks revolves around determining legal, regulatory, business and security issues and requirements. And also, creating policies that address them.
- But there are also a range of day-to-day activities that involve classifying documents, files, monitoring their use and storage.
- Documenting compliance with regulations and standards is also important.
Implementing data retention policies requires knowledge of technologies and processes for storing, archiving and destroying data.
- Many organizations are bound by agreements with customers, suppliers and other third parties to retain documents. These sometimes include sales records, warranty and service records, design documents, legal documents, among many types of records.
- Organizations have a legal obligation to protect documents that are reasonably likely to be relevant to future litigation. Once litigation has commenced, they must prevent the destruction of any information that is likely to lead to the discovery of admissible evidence.
Today, organizations need well-designed programs and policies. It is there to deal with regulations mandating that specific document types be held for set periods, and also to address critical privacy issues and to reduce the cost of potential data breaches.