Is your organization operating without a data retention policy? Or under a policy that needs updating or isn’t being consistently enforced? If so, this is one issue you’ll want to move closer to the top of your priority list, ASAP. Here’s why:
Reason #1: Staying Compliant
Regulatory compliance is the top driver for having a retention policy. Sarbanes-Oxley, HIPAA, SEC regulations and other compliance requirements dictate how long you need to retain information—up to seven years for some types of data. The key is to look across all of the data in your organization and strategically identify what exactly you need to retain for which specific time periods to meet external compliance and internal audit requirements.
Not having the data you need (or not being able to produce it on demand) could result in millions of dollars in fines for noncompliance. Get clear on which compliance regulations apply to your business and make sure you have a policy to meet them.
Reason #2: Minimizing Legal Exposure
The legal implications of a data retention policy can be tricky. Companies are keeping more data for longer timeframes for compliance, business and other reasons. But keeping everything forever just isn’t realistic or even smart. One major reason: legal risk.
Having too much data to sift through in the discovery phase in the event of litigation can drive up your legal costs and delay the discovery phase, which can result in sanctions. A glut of data also can create unnecessary exposures—for example, calling into evidence older data that could be incriminating or taken out of context and used against your organization. A consistent data retention and discovery policy minimizes these risks, while also demonstrating that any data destroyed prior to a lawsuit was purged methodically, according to a policy, rather than targeted for destruction as potential evidence.
Reason #3: Business Information
Whether for analytic, historical or other purposes, businesses need to retain information. It’s easy to see how this reason can come into conflict with reason #2. A good retention policy strikes a balance between keeping data long enough for business and compliance purposes without exposing the business to any unnecessary risks.
Reason #4: Keeping Costs Down
Sure, tape is cheap—but that doesn’t mean you should endlessly invest in a limitless supply of storage media for volumes and volumes of data without just cause. Storing too much data adds up. Let policy determine how much data you need to store and you may see storage costs drop.
Creating and implementing a good data retention policy is not as straightforward as it seems. But the answer to the question of whether or not you need one is as clear cut as it gets.
Interesting post! In your experience, have you had clients not have a retention policy and suffer because of it (both legally and financially)? It appears that you have left the door open for further explanation on how your organization works with your clients to define and implement a retention plan.
A brief example of how you actually help your clients would be of great value added to this posting.
Posted by: steve t | May 03, 2011 at 04:04 PM
Steve, we had had companies suffer, mostly financially, due to incorrect retention policies. Although we're not technically 'consultants', when we install our software we help guide them towards thinking about what their current policies, or if those policies need to modified and streamlined. Once they start using our software the organization can start to see if these retention holds are working, and tweak from there.
Posted by: Mike | May 05, 2011 at 02:47 PM