What you will learn in this tip: While information lifecycle management (ILM) may no longer be among the IT industry top ten buzzwords, data retention is still a very current topic. This tip discusses the development of a policy around it and why it's important to have a data retention policy.
Any discussion on data retention always includes an unavoidable legal element, which is why it's a subject that many IT professionals are typically uncomfortable with and prefer to avoid. In all honesty, no one can blame them because decisions around what data gets deleted can have serious legal implications. On the other hand, the absence of decisive actions regarding data retention can also become costly in terms of storage, and can also have some legal implications. In keeping with that line of thought, this tip on data retention doesn't pretend to offer legal advice nor should it be interpreted as such. What follows simply outlines certain considerations when developing a data retention policy.
For the purpose of this discussion, the term "records" is used to describe computer system data of certain significance from a business perspective rather than all data in general. Although many of the ideas presented can also apply to paper records, the focus here is on computer system data.
The purpose of a data retention policy
There are essentially three main objectives in developing an electronic data retention policy, which can be summarized as follows:
- To keep important records and documents for future use or reference;
- To dispose of records or documents that are no longer needed; and
- To organize records so they can be searched and accessed at a later date.
When further analyzing the above list, we quickly realize that the first point is the main reason why we keep data; we either think we might need it later (as is the case for intellectual property or capital), or we keep it because we have to for legal reasons. However, the second bullet point is why we need a policy -- we don't necessarily want to keep everything indefinitely if we don't have to. The third bullet really highlights the fact that that there's no point in keeping records if later we can't find them or access them when needed.
Drivers for a data retention policy
The objectives of a data retention policy as outlined above are pretty straightforward. But there are also compelling business reasons that may justify the effort, including:
- Cost savings through data storage reduction;
- Simplified, less expensive data management; and
- Regulatory compliance (legal discovery, protection of privacy, etc.).
The opportunity to reduce data storage costs is probably the biggest driver behind many data retention policy development projects. Beyond the pure cost of storage, there are costs associated with managing complex storage and backup environments, and the impact of storage growth on data center capacity. While data reduction technologies have helped, they mostly address the effects rather than the causes. In other words, compressing the data is great, but reducing the amount of data to compress is even better.
What should stay and what should go?
The first consideration for data retention is regulatory compliance -- what your company is required to retain (and for how long) by law. When developing a data retention policy, an initial data categorization exercise is required. Some of the grouping criteria are as follows:
- Is the data a temporary record? Log files, drafts and work copies of documents can be categorized as temporary records and are likely not subject to long-term retention.
- Does the data primarily consist of intellectual property? This data needs be retained for as long as it is deemed useful with the understanding that even our best ideas become outdated at some point.
- Is the data a permanent record? Contracts, tax documents, patent information or trade secrets documents, etc. are the types of documents that typically need to be retained for a specific number of years, and in some cases indefinitely.
- Is the data subject to freedom of information and protection of privacy regulations? There are cases where documents must be kept for a specific number of years and must then be destroyed.
- Is the data legitimate business data? It's common to have employees store personal or non-business data such as video or music files on corporate storage.
- Could the data be subject to legal discovery in the event of legal actions? In some legal cases, the absence of a clearly defined data retention policy has caused defendants major headaches and generated significant discovery costs because the discovery of a single document containing information about a legal dispute resulted in a court request to produce all other related documents.
The last item above should probably be the biggest motivator for the development of a comprehensive and enforceable data retention policy. While there are data types such as tax records that must be kept for a specific number of years as prescribed by laws, there are other records that should be deleted. For example, while the U.S. Supreme Court approved new rules regarding e-discovery of critical evidence back in April of 2006, it recognized that businesses don't have to keep everything indefinitely. It ruled that companies who can demonstrate that they delete data based on a repeatable and predictable process in the course of conducting regular business are immune in the case of litigation. Regular, scheduled, automated and verifiable deletion of email messages is probably the best example of that kind of practice. It is important to mention that while a data retention policy must be comprehensive, it should also be manageable and enforceable. To that effect, the number of data categories should be kept to a minimum.
Managing the data retention policy
We've discussed the purpose and business drivers for a data retention policy and brushed on data selection criteria but one item remains: Who is responsible for developing the data retention policy and who manages it? Back in the days of paper documents, this would have fallen under the responsibility of the records manager but this role has unfortunately been phased out of many companies along with paper records. Developing the policy has to be a joint effort involving storage administrators and applications owners, but also requires executive support. Realistically, IT probably has to take the lead by promoting it as a solution to controlling storage growth.
Data retention and, more importantly, data deletion is a complex task that cannot be taken lightly.
The policy itself doesn't have to be a complex set of rules, and it can be summarized in a document stating the categories of data subject to the policy and associated retention details. As mentioned earlier, the policy needs to be manageable and enforceable. It should initially focus on data that can or must be deleted, and this can later be expanded if needed. The policy document must be validated by the company's legal counsel but needs to have full management support and must be presented as a company policy, not an IT best practice document. Revisions may become necessary, so the policy should be reviewed at least annually to ensure it is still relevant. This is where data discovery or data archiving software comes into play because no one can be expected to manually search and delete data. Software automation can at least ensure that data subject to the policy is identified and potentially migrated to a specific storage where it can later be deleted (i.e., archive storage).
Data retention and, more importantly, data deletion is a complex task that cannot be taken lightly. No permanent records should be arbitrarily destroyed without first ensuring that they are not subject specific retention required by law. It must be said once more that seeking legal advice is highly recommended. That said, organizations should not shy away from this important task simply because they are unfamiliar with laws and regulations. The benefits of a comprehensive data retention policy far outweigh the initial efforts required to develop and implement it.
About this author: Pierre Dorion is the data center practice director and a senior consultant with Long View Systems Inc. in Phoenix, Ariz., specializing in the areas of business continuity and DR planning services and corporate data protection.