Why Develop a Retention Policy?
Having an electronic records retention policy is vital in today’s digital environment. Archiving email and other communications helps organizations address several common issues:
- Meet federal and industry regulatory requirements.
- Support legal needs to retain and provide timely e-Discovery.
- Preserve institutional knowledge during normal employee turnover.
- Reduce IT server loads and storage consumption.
- Support business continuity.
- Provide immediate alternate access to data in the event of a downtime event.
Defining how long your company will retain data can prove more challenging. This subject must be addressed from the top. Data protection is no longer a department level responsibility.
Data retention used to be the sole purview of IT. Now, executive leadership determines policy. Then it is IT’s job to execute the corporate policy. Legal counsel, compliance, audit, and executive leadership work together to establish policies.
At a minimum, there needs to be a thorough review and understanding of regulatory requirements to form the retention policy baseline. Then there is often refinement to support the operational needs of various departments.
How Long to Retain?
There are usually two opposing schools of thought on this subject. Retaining data for longer periods provides knowledge continuity and compliance. Access to historical data ensures that organizational knowledge is preserved. For example, it’s extremely common to review prior email conversations.
The opposing point of view is that that the longer the retention, it increases risk of sensitive information exposure. Expense used to be an argument, but with the rise of cloud and the steep drop in storage costs, this is no longer true.
Today, overly short retention policies pose a much greater risk. Even today’s most common regulations require the retention of email and other electronic information for several years.
The short-term retention policy may be cheap, but it will cost a great deal more in the long run. Today, courts expect that retention is within reach of every organization. Failure to retain, or implement a proper Legal Hold results in penalties, sanctions, and a weakened legal position.
Retention Policy Best Practices
1. Analyze relevant regulations
The process of designing a retention policy should begin by listing all relevant regulations and the retention requirements applicable to your organization. The retention periods may vary significantly based on your industry and the location. Here’s a list of some of the most common US laws and their prescribed retention periods:
Common US Regulations Retention
| Industry | Regulation/Regulatory Body | Retention Period |
|---|---|---|
| All | Internal Revenue Service (IRS) | 7 years |
| All Government + Education | Freedom of Information Act (FOIA) | 3 years |
| All public companies | Sarbanes-Oxley (SOX) | 7 years |
| Education | FERPA | 5 years |
| Financial | Gramm-Leach-Bliley Act (GLBA) | 7 years |
| Financial (Banking) | FDIC | 5 years |
| Financial (Brokers, dealers, investment bankers, securities firms) | FINRA, SEC 17a-4, SEC 17a-3 | 7 years |
| DOD contractors | DOD 5015.2 | 3 years |
| Credit card processors | PCI DSS | 1 year |
| Healthcare | HIPPA | 7 years + |
| Pharmaceutical | Pharmaceutical | 2 years |
| Telecommunications | FCC | 2 years |
If the retention period is not clearly defined, a best practice is to use the IRS recommendation of 7 years.
Establishing Policy: Baseline First, Then Refinement
Begin with your regulatory requirements and involve the right stakeholders. Policy definition should involve Legal, IT, Operations/Audit and if applicable Compliance personnel. Legal will provide counsel based on the regulations. That advice will determine retention policies, data segmentation and retention groups.
Note that it is extremely common for executives to expect to have access to historical data for longer time periods. Be prepared to apply layered policies based on (for example) data type, sender, recipient, or department.
For instance, a policy will designate email spam to never enter the archive. The remaining data will have a baseline retention policy of 5 years. Operations and HR will retain their data for 7 years. C-suite correspondence, invoices and sales records are often held for extended periods.
It’s important to note that corporate instant messaging, Team chat spaces, voicemails and video conference recordings also require retention.
The Importance of Proper Data Sanitation
Finally, your policy needs to define strict guidelines regarding data disposal at the end of its retention period. With the volume of daily activity, this can no longer be a manual process. Instead, it’s best to automate this process with a compliance archive. That way your retention policy is managed from start to finish with accountable, defendable data management.
2. Implement an Automated Archiving Solution
Defendable policy implementation
Proper retention policies will automatically preserve records according to an organization’s policies. Further, an archive is a tamper-proof system. This ensures regulatory compliance, data protection and business continuity support. Without a an automated company-wide approach, you cannot ensure and document policy adherence. This becomes extremely important during audits and litigation.
Data Protection and Business Continuity Built In
Not all data compromises happen from malware and hackers. Data is routinely leaked or lost due to either human error or malice. With an automated compliance archive solution, your data is more secure. Even better, a cloud-based archive is provides an additional layer of safety. Yet data is easily accessed by designated staff. This can be particularly helpful when the primary systems are offline.
A multi-data archiving solution like OneVault ensures automatic application of all your retention policies. The system will then retain your data for as long as necessary and purge it after the retention period expires. This balances retention with data sanitation to eliminate unnecessary liability posed by expired data still within your systems. If expired data exists during e-Discovery, it cannot be excluded. Old data increases risk.
3. Drive More Value from Your Archived Data
Regulatory compliance and litigation often get all the attention in archiving discussions. Yet your archive data is valuable for insight and knowledge transfer.
Operational benefits from Keyword tracking
Keyword tracking within Donoma OneVault helps Customer Service, Sales and HR teams track use of specific keywords. Keyword SmartActions track communication sentiments. They can also auto-tag content for workflows, review, training and more.
Let’s say you want to track the use of foul language in your staff’s digital communication. Donoma OneVault tracks and tags activity around designated keywords. For example, messages flagged for “profanity” are tagged with a Profanity tag. This makes it easy to locate the exact message as needed. The system automatically scans for these keywords and provides notification.
Create automated workflows based on keywords
The same keyword and tag-based policies power operational workflows. Pre-defined keywords (such as a project name or a case number) can automatically trigger notifications for business processes such as change orders, reviews and more.
4. Make Your Archive Part of Your Business Continuity Strategy
While many organizations are diligent in their backup procedures, backups are not infallible. They have the disadvantage of being a snapshot of a single point in time, typically at night. Data changes constantly, with no audit trail on that activity.
A backup is not indexed in the same manner as an archive. Therefore it can be very difficult to find the data you need. Finding data involves IT and creates potential privacy protection problems. However, with a cloud-based archive, if your systems are offline, records in your archive are securely accessible. This is helpful for executives and legal teams who routinely need access to historical data. If there is an outage, the backups restoration can still take time. An archive can bridge the interim gap as part of a your business continuity strategy.
Donoma Archiving Solutions
Donoma Software has been providing compliance archiving solutions for over 10 years. If you’d like to learn how your organization can meet compliance requirements, reduce costs and risk, we’d like the opportunity to introduce you to our OneVault multi-data archiving platform. Just contact us or book a no obligation demo discussion. A member of our team will be happy to discuss your questions and show you how OneVault’s expandable archiving capabilities will make your multi-data archiving needs much more manageable.
Resources:
- Compliance Archiving: Understanding the Key Features You Must Have (Free comparison checklist)
- Beyond Compliance: The Dawn of Agile Data Retention
- On-Demand Replay: Why Archiving Should Expand Beyond Email with Osterman Research
- Osterman Research: Top Reasons to Archive
- Evolving Trends in Communication Records Preservation
- Communications Archiving with OneVault
- Message Vault Delivers Compliance & Customer Service Benefits
