- Meet federal and industry regulatory requirements to retain email and communications related to the conduct of business
- Support legal needs to retain and provide timely e-Discovery
- Preserve institutional knowledge and hedge against its loss during normal employee turnover
- Reduce IT server loads and storage consumption
- Support business continuity and immediate alternate access to data in the event of an on-premise data breach or downtime event.
Defining how long your company will retain data can prove more challenging. This is often a sticky subject, but one that must be addressed from the top of the organization, not at the department level.
Initially it is often IT who is expected to present the retention plan, but it is IT’s job to execute the corporate policy, not to formulate it. Legal counsel, compliance, audit, and executive leadership must work together to formulate policy.
At a minimum, there needs to be a thorough review and understanding of regulatory requirements to form the retention policy baseline. Then there is often refinement to support the operational needs of each individual organization.
How long should you retain?
There are usually two opposing schools of thought on this subject. Retaining data for longer periods provides knowledge continuity and insight. Being able to pull up historical data ensures that organizational knowledge is preserved. It’s extremely common that executives rely on old email chains to recollect past activity.
The opposing point of view is that that the longer the policy, the bigger the risk that some sensitive information will be exposed. There used to be an argument that retaining for longer periods of time also was prohibitively expensive, but with the advent of the cloud and the steep drop in the cost of storage, these arguments no longer hold up, particularly in legal situations.
Today, overly short retention policies pose a much greater risk. Even today’s most common regulations require the retention of email and other electronic information for several years.
The short-term retention policy may be cheaper to implement, but they can often cost a great deal more in the long run. The expectation from the courts is that retention is within reach of just about every organization, and failure to retain either for regulatory compliance or implement a Legal Hold at the expectation of a problem results in penalties, sanctions, along with a weakened legal case.
Retention policy best practices
Analyze relevant regulations
The process of designing a retention policy should begin by listing all relevant regulations and the retention requirements applicable to your organization. These recommended retention periods may vary significantly based on the industry you belong to and the location of your business. Here’s a list of some of the most common US laws and their prescribed retention periods:
Common US Regulations Retention
|Industry||Regulation/Regulatory Body||Retention Period|
|All||Internal Revenue Service (IRS)||7 years|
|All Government + Education||Freedom of Information Act (FOIA)||3 years|
|All public companies||Sarbanes-Oxley (SOX)||7 years|
|Financial||Gramm-Leach-Bliley Act (GLBA)||7 years|
|Financial (Banking)||FDIC||5 years|
(Brokers, dealers, investment bankers, securities firms)
|FINRA, SEC 17a-4, SEC 17a-3||7 years|
|DOD contractors||DOD 5015.2||3 years|
|Credit card processors||PCI DSS||1 year|
|Healthcare||HIPPA||7 years +|
If the retention period is not outlined for your industry or a particular type of data, it’s recommended to stick to the minimum IRS recommendation of 7 years.
It’s important to begin with these regulatory minimums and policy creation should involve at a minimum, your legal and IT staff, as well as any audit and compliance specialists you may have on staff. Legal will not only be able to provide counsel based on the above regulations, but also advise on how to segment your retention groups.
Note that it is extremely common for executives to expect to have access to historical data for longer time periods, so you might need to specify multiple policies based on different criteria like data type, the sender, the recipient, or the department.
For instance, your policy can be designed in such a way that spam messages are never retained, your general correspondence is retained for 5 years, administrative and HR for 7 years, and then CEO correspondence, invoices and sales records are kept for 10 years or forever.
It’s important to note that retaining communications data like instant messaging, Team chat spaces, voicemails and video conference recordings also require retention.
Finally, your policy needs to define strict guidelines regarding data disposal at the end of its lifecycle. With the volume of data generated each day, this can no longer be a manual grooming process. Instead, it’s best to automate this process with a compliance archive. That way your retention policy is managed from start to finish with accountable, defendable management.
Implement a multi-data archiving solution
Defendable policy implementation
By implementing proper retention policies, you will automatically preserve your records according to your organization’s policies and standards. Further, the data is archived in a tamper-proof system that ensures both regulatory compliance and protection of valuable data needed for business continuity. Without a comprehensive, company-wide approach, you cannot defend policy adherence. This becomes extremely important during audits and litigation.
Data Protection and Business Continuity Built In
Not all data compromises happen from malware and hackers. Leaks of sensitive information routinely happen because of human error or malice. By having a fully automated compliance archive, your data is securely retained in a tamper-proof environment. Even better, if your archive is secured in the cloud, then it provides an additional layer of safety and can be accessed by designated staff (such as executives) if the primary systems are offline for an extended period.
A compliance style multi-data archiving solution allows you to define all your retention policies up front. The system will then retain your data for as long as necessary and purge it after the retention period expires. This balances necessary retention with procedures to eliminate unnecessary liability.
Drive Operational Benefits from Your Archive
While regulatory compliance and litigation hold often get all the attention in archiving discussions, there are powerful benefits that can be derived from your archiving system.
Proactively monitor communications
Your archiving system can also help your Customer Service, Sales and HR teams track employee misbehavior, prevent the sharing of sensitive business information, track communication sentiments and identify areas for ongoing training and improvement.
Let’s say you want to track the use of foul language in your staff’s digital communication. In any of Donoma’s archiving solutions, you can define keywords for notification, who should be notified and how quickly. For example, messages flagged for “profanity” can be tagged with a special Profanity tag that makes it easy to locate the exact message as needed. The system will then automatically scan for these keywords and notify admins or compliance officers in case a rule is broken.
Create automated workflows based on keywords
The same keyword and tag-based policies can be applied for workflows. Pre-defined keywords (such as a project name or a case number) can automatically trigger notifications for business processes such as change orders, reviews and more.
Make your archive part of your business continuity strategy
While many organizations are diligent in their backup procedures, backups are not infallible. They have the disadvantage of being a snapshot of a single point in time, typically at night. Data can be changed at will (including being deleted) with no audit trail on that activity.
A backup is not indexed in the same manner as an archive, and therefore it can be very difficult to find the data you need. If the data can be found, it must involve IT, who otherwise should not know the contents of the email or communication in question. However, with a cloud-based archive, if your systems are offline for any extended outage (that can be all too common these days) your archive is securely accessible for all your archived historical data. This is particularly powerful for executives and legal teams who routinely need access to historical data around the clock. If there is an outage, the backups still need to be re-loaded, and that process can often be lengthy. An archive can bridge the interim gap as part of a comprehensive business continuity strategy.
Donoma Archiving Solutions
Donoma Software has been providing compliance archiving solutions for over 10 years. If you’d like to learn how your organization can meet compliance requirements, reduce costs and risk, we’d like the opportunity to introduce you to our OneVault multi-data archiving platform. Just contact us or book a no obligation demo discussion. A member of our team will be happy to discuss your questions and show you how OneVault’s expandable archiving capabilities will make your multi-data archiving needs much more manageable.
- Compliance Archiving: Understanding the Key Features You Must Have (Free comparison checklist)
- Beyond Compliance: The Dawn of Agile Data Retention
- On-Demand Replay: Why Archiving Should Expand Beyond Email with Osterman Research
- Osterman Research: Top Reasons to Archive
- Evolving Trends in Communication Records Preservation
- Communications Archiving with OneVault