As we mentioned in last month’s post on the differences between Back-up and Archive, it seems that the concepts of data retention and data retention policies have been in the news a fair amount lately. We made reference to the 6-month data retention policy utilized by the IRS as just one such example. In the previous post, we felt it important to differentiate the concepts of back-up and archiving. Click the link above if you’d like a refresher. This week we’d like to tackle the things to consider when developing a data retention policy.
The first and most important step in developing a data retention policy is to determine your organization’s requirements. It’s VERY IMPORTANT to note that if you don’t actually have a data retention policy or defined requirements, then your organization may be legally liable to retain the data FOREVER. Simply having a defined set of requirements or an official retention policy – and then following it – often releases your company from this liability.
Also, a common misconception is that it’s entirely up to IT to determine data retention requirements. This is simply not true. It is a business decision that is often governed by internal or external legal requirements or mandates. IT’s primary role is to determine the best way to meet the requirements for data retention as defined by the business.
There are 4 things to consider when determining business requirements for a retention policy:
- What Information Needs to be Retained?
Determining what information will need to be retained is typically a business decision and driven by legal requirements and business needs. It can be very time consuming to determine all requirements. The organization needs to analyze its individual applications and data types and decide what it needs to keep, what it’s legally required to keep, and what it might need to keep as a result of any other business arrangements or relationships. During this part of the planning process, it’s helpful to create a clear map of all data and where it resides so that you can determine what needs to be kept and what technologies are utilized in storing it. Good cooperation between the IT department and Business/Legal will help make this stage go smoothly.
- How Often Does that Information Need to be Backed Up?
Once again, this is a business decision which IT can assist. Some solutions allow for continuous data protection, but that might not be necessary for all data – especially if there are budget concerns or constraints. Some data is fine to be only backed-up nightly, weekly or maybe not at all.
- Where Does the Data Need to be Retained?
The IT department plays a more integral role in this aspect of data retention. You will need to make a determination whether it is acceptable for the data you need to retain to be protected as just a flash copy or snapshot, or whether it will need to be replicated within the data center or even offsite.
- How Long to Retain the Data?
The biggest problem that a lot of organizations face is that they take a shortcut during the planning stages and say that they just want to keep all the data forever. Not only is this a bad idea from a legal standpoint (as discussed above), but it is also very expensive. It is essential that your organization narrow down this window to arrive at an attainable retention policy that keeps the data an appropriate time and then gets rid of it. Lately, we’ve seen companies going to 30- to 90-day retention policies. Unless the business requires you to keep the data for several years (such as healthcare, financial, government, etc), then secure the data, keep it for the defined duration, and then remove it.
Once you’ve defined those business requirements which dictate your data retention policy, there are other things to consider as you begin to implement it. For one, you need to understand the various technology platforms across which your data spans. The back-up software needs to be able to obtain and retain data from each for a given period of time. Techniques to retain data can vary from platform to platform and some – like virtualization – add layers of complexity to the process.
Remember that it is possible to architect your retention systems for specificity and that it can be wasteful to just do a blanket policy that governs all of your data. It may take a longer time to plan and implement, but in the long run you’re likely going to come out ahead if you’ve taken the time to treat different data and different platforms individually.
Let us know if you have any questions….. – Contact Us Today