05/02/2022 | News release | Distributed by Public on 05/02/2022 09:15
Organizations' email systems hold a treasure trove of data, with ever-increasing volumes of messages and attachments containing information about customers, employees, transactions, marketing plans, intellectual property, and IT systems. The challenge is to manage all this data - whether to extract its business value, comply with heightening regulation, ensure disaster recovery, or support legal cases.
Enter data retention policies. Knowing how, why, and for how long to keep data before deleting it is crucial to protecting an organization's interests. With data protection laws around the world imposing large fines on companies that fail to respect strict data retention regulations, the compliance burden is not to be ignored. Added to that is the growing use of data as evidence in workplace lawsuits and other litigation.
On the operations side, a well-defined policy can also help you to better organize your data, maintain accurate records, conduct a range of analyses and work more efficiently. A retention policy can also serve as part of the framework to manage your backups and archiving, aiding in disaster recovery following a cyberattack or other calamity.
Let's examine data retention, its benefits, best practices, and supporting technologies such as Mimecast's cloud archiving solutions.
Data retention refers to the storing and use of data for a set time period, also known as a data retention period. These data retention periods differ for every organization based on the type of data they store, the legislation governing their operations, and their business goals. The aim is to set a retention period that allows you to extract as much value as possible from your data while keeping up with regulation and the latest security threats.
A data retention policy ensures that organizations take a consistent approach to storing and disposing of their data. It should specify how long you keep different types of data, their format, where they're stored, and how long they are stored. Remember that efficient, compliant data disposal is also essential to control costs.
The policy should define who in your organization can dispose of data once its retention period expires. Whether the next step is deletion or archiving, make sure you choose trustworthy employees who understand your data retention policy inside and out.
New laws governing consumer and employee data privacy emerge each day, with regulators exercising their mandate to crack down on irresponsible practices. Other government and industry rules apply to data such as accounting records or credit information. Many include provisions specific to the management and disposal of business data, and failure to comply can have serious financial and reputational consequences.
Take the California Consumer Privacy Act (CCPA), which regulates any company that does business with California consumers regardless of where it is based. Each violation can cost up to $7,500 if deemed intentional, which means that an organization that violates the terms of CCPA for just 1,000 customers could be fined as much as $7.5 million.[1] The more recent California Privacy Rights Act (CPRA) will impose even stricter requirements as of January 2023, including the obligation to inform consumers how long their personal information will be retained.[2]
Other noteworthy data retention regulations to keep in mind include the privacy provisions in Europe's General Data Protection Regulation (GDPR) and the coverage of accounting and business records in the U.S. Sarbanes-Oxley Act (SOX), which applies to all public companies. As for industry-specific regulation: Healthcare organizations must adhere to the Health Insurance Portability and Accountability Act (HIPAA); financial firms must respect the Gramm-Leach-Bliley Act (GLBA); and any company that accepts credit card payments must comply with the Payment Card Industry Data Security Standard (PCI-DSS).
In addition to compliance, a data retention policy can help your business improve the way it manages information and responds to security threats. Here are just a few benefits:
Your organization's data retention practices will be based on its goals, the types of data you store. and the industry you serve. However, some principles transcend these factors and apply to nearly every organization:
With these principles in mind, it's time to develop your data retention policy.
With so much email, media, and other forms of data passing through their organization each day, many organizations opt for a cloud archiving solution to simplify their data management, stay on top of compliance, and follow data retention best practices. In many cases, cloud archiving is also less expensive than on-premises solutions.
A data retention policy is more than a housekeeping tool. It is central to ensuring your data, employee communications, and storage processes are accessible, compliant. and secure. Learn more about how data retention best practices combined with a cloud archiving solution like Mimecast Cloud Archive can improve your organizations' data management and storage.
[1]"The California Consumer Privacy Act: Frequently Asked Questions," BakerHostetler
[2] "California's New Privacy Law, the CPRA, Was Approved: Now What?", JD Supra