NIST Privacy Framework : Our Essential Data Protection Guide


What is a data retention policy and should you have one?

In order to collect and process consumers’ sensitive data to fulfill both day-to-day and long-term business needs, companies must implement a data retention policy that complies with and enforces retention parameters set forth by federal and international data privacy laws.

What is a data retention policy?

A company’s data retention policy outlines the purpose of collecting sensitive data, how that data will be processed and used for business, how long it must be retained for, and how it will be disposed of when it’s no longer of use, per regulation requirements.

In addition to maintaining regulatory compliance, a data retention policy keeps storage repositories clean, organized, and free of outdated information that would otherwise be a threat to data security. You’ll save money on storage and increase efficiency when it comes to locating data, all while protecting your consumers’ sensitive information with a retention policy in place.

Essential components of a data retention policy

  1. The policy should clearly state the purposes for collecting and storing sensitive data, which includes payment card information, healthcare records, or other personally identifiable information (PII). Many companies collect multiple forms of sensitive data, and thus they’re subject to multiple data privacy regulations.
  2. Based on the data it collects, a company must list those regulations, and more specifically, their retention requirements. This can include the retention schedule, security measures in place to protect the data while it’s retained, instructions for destruction after the retention period has passed, and actions the company takes when it comes to policy enforcement, upholding compliance, and responding to a data breach.
  3. A common breach response plan involves restoring data from backups, and a data retention policy must outline guidelines for these as well, namely the frequency at which they occur and how they’re retained. Because a backup involves copying your sensitive data to a secondary storage location in case a breach modifies it or it’s lost entirely, the legal regulations still apply. If there’s a risk of data loss — and there always is nowadays — your data’s level of sensitivity will influence your backup cadence, which can range from daily to yearly. Daily and weekly backups should be retained for a much shorter period of time than monthly or yearly backups, but whatever you decide upon, it must be documented in your policy.

How sensitive data dictates data retention policies

By now you understand how big of a role regulations play in the formation of data retention policies. A key step to ensuring your policy accounts for all the data your organization possesses — and in turn meets compliance-specific retention requirements — is thorough, accurate data discovery that scans all locations within your organization where data could potentially reside and identifies it. If a certain type of sensitive data were to go unnoticed, unprotected, and improperly retained, the resulting noncompliance penalties could be ruinous.

Let’s take a look at the retention requirements of some of the most stringent regulations.

  • When it comes to the GDPR, which protects the PII of European Union citizens, a set amount of time to retain data isn’t mandated. Instead, the law requires companies to explicitly state in their policies a purpose for collecting and processing sensitive data, and once that data is no longer useful for the stated purpose, it can no longer be retained.
  • Similarly, the PCI-DSS requires the payment card information it protects to be destroyed when it’s no longer needed for business or legal reasons, but does not offer a set retention window.
  • The CCPA actually requires organizations collecting PII from California residents to hold onto that data, as the law gives consumers the right to request information on how their data is being used, as well as the right to request that their data be deleted. Records of these data subject access requests must be retained for 24 months. If a company cannot fulfill a DSAR because it deleted data too soon, it violates compliance.
  • Finally, there’s FERPA, which protects student records. This law has a set data retention period of the duration a student is active, plus six years after they’re no longer active.

Making the case for automated classification and remediation

With so much data to keep track of, adhering to retention requirements can be tedious, time-consuming, and truthfully, impossible to achieve by manual processes. This makes the case for automated classification and remediation tools that can efficiently and accurately enforce data retention policies.

As sensitive data gets discovered, automated classification software categorizes it based on various criteria, including the compliance regulations it’s subject to, its level of sensitivity, and other custom parameters, such as your company’s data retention policy. From here, data can be securely processed and used by authorized individuals within your organization, and only for the purpose outlined in your retention policy.

Thanks to this granular data classification, automated remediation tools can then dispose of data in accordance with your policy. Not all policies call for data to be destroyed once its retention window is up. In addition to secure deletion, remediation can move outdated sensitive data to a secondary location for archiving purposes. It can also use backups to restore data that’s been prematurely deleted before its retention period is up. Speaking of backups, automated remediation can manage the retention and destruction of these in a timely manner, so no outdated backup gets overlooked and puts compliance at risk.

In short, automated classification and remediation tools are must-haves in order to enforce a compliant data retention policy, and more broadly, they remove the manual — and risky — component out of data security and compliance.

Implement a compliant data retention policy with Spirion

Spirion’s Sensitive Data Platform automatically discovers, classifies, and remediates your sensitive data so it can be appropriately secured and retained in accordance with the legal regulation(s) protecting it, as well as your own data retention policy.

Learn how Spirion helps enterprises enforce their data retention policies, uphold compliance, and avoid costly penalties.