5 Best Practices About Information Retention For Businesses
Today’s organizations rely on information to fuel their business processes. Whether it’s the healthcare, financial services, hospitality, federal government, retail, telecommunications, or education industries, there’s sensitive assets that malicious hackers can – and will – steal.
With the growing amount of information collected by various organizations and industries, it’s no wonder why creating and enforcing a robust information retention policy is necessary. However, because of the rapidly changing threat landscape and new data privacy laws and regulations, it can be tricky for organizations to know what information they need to retain and for how long.
Let’s take a look at some information retention best practices and how following them can help your organization establish and enforce more compliant and useful information retention policy suitable for your organization’s needs.
What is information retention?
Information retention is a process based on the preservation and maintenance of valuable information as long as it necessary, and then discarding it in a safe manner when its existence is no longer necessary.
How to determine appropriate information retention?
Retention requirements exist for certain types of sensitive information or records, for example, sensitive information being processed by a computer system, stored on media or accessed by a staffer. While organizations are free to draft their own information retention policy, they must also adhere to a number of information retention laws, especially if these organizations operate within regulated industries.
Types of Information Retention
Hardware retention – Often hardware products are being replaced every 3-5 years. Hardware retention is likely to refer “to retaining [information] until it has been properly sanitized,” as defined in the “7th edition of CISSP Official Study Guide.”
Personnel retention – On the other hand, the same textbook explains another type of information retention – personnel retention – as “the knowledge that personnel gain while employed by an organization.” Non-disclosure agreements (NDAs) signed by employees upon hiring them prevent these people from sharing proprietary information and trade secrets with others.
In practice, hard- and soft-copy information records are not to be “on hold” beyond its legal or useful lifetime. As to the appropriate formality behind a workable information retention policy, one needs to implement a couple of indispensable steps:
- Document the policy – sometimes simply retaining information is not enough. Federal laws generally require organizations in regulated industries to document the information retention process. Thus, each and every aspect of this process must be written and communicated to everyone who is affected by it
- Attach an activity log of all activities related to the policy, such as training sessions, auditing checks and results, and record destruction processes
- Retention goes hand in hand with security – appropriate security measures are necessary to ward off unauthorized access or inadvertent loss or damage to the information
- Information is to be disposed of properly and securely, in a manner that will render it unusable
Below Are The 5 Best Practices About Information Retention For Businesses.
1. Build Your Information Retention Policy Development Team
Not only do you want to include your legal team and accounting professionals, but you also want to make sure you include diverse voices within your company who may also hold a stake in the various information in your system. While your instinct may default to “delete,” your accounting manager may hold valid—if not critically important—reasons for retaining certain records.
Key team members to add to your information retention policy development team include:
- Staff members responsible for information retention settings
- In-house legal counsel
- Departmental managers and supervisors
- Anyone who receives and manages financial reports
- Anyone who generates financial reports
2. Determine All the Regulations That Are Applicable to Your Business
A few regulatory bodies and acts that determine certain information retention durations and the conditions of information removal include:
- The Health Insurance Portability and Accountability Act (HIPAA) is related to the healthcare industry and applies to healthcare organizations and any business that works with those organizations.
- The Sarbanes-Oxley Act (SOX) has its own provisions, related to the financial industry.
- The Internal Revenue Service (IRS) applies to every type of business in any location of the United States.
- The Children’s Online Privacy Protection Act (COPPA) is another act that applies to all businesses in the United States.
- The EU’s General Data Protection Regulation (GDPR) applies to any company that does business with a resident of one of the 28 EU’s 28 member states.
This step alone is why it is essential to make sure your information retention policy development team includes a legal expert and your accounting team to thoroughly research any relevant laws, policies and regulations germane to your industry and location.
3. Define the Data to Be Included in Your Information Retention Policy
Regardless of your industry or location, there are some general types of information that you must include within your information retention policy, including:
- Emails and other electronic documents
- Customer records
- Transactional information
- Correspondence between staff and clients, agents, vendors, shareholders and the public
- Supplier and partner information
- Employee records
- Customer records
- Sales, invoice and billing information
- Tax and accounting documentation
- Financial reports
- Healthcare and patient information
- Student and educational information
- Any other information produced, collected and maintained in the fulfillment of regular business activities
4. Compose Your Information Retention Policy
Once you have determined what happens to old information that you can remove or archive, it is time to formally write your policy. Some of the sections that each information retention policy must include are the:
- Applicable Laws, Regulations, Policies, Rules, and Acts
- Information Retention and Deletion of Schedule
- Litigation Plan
- Review and Update Schedule
5. Make Sure All Employees Are Aware of—and Fully Understand—the Company’s Information Retention Policy
Beta News reported the results of a Harris Poll that indicated that 63% of employees do not believe that their companies have policies regarding email retention. Further, if the employees did know that the company had information retention policies, they weren’t aware of what they were. You do not want this scenario for your organization.
You definitely want to keep your employees in the loop when it comes to information retention. You may find it helpful to invite a few employee ambassadors to join occasional information retention policy meetings while you and the rest of the team develop the policy so they can gain a deeper understanding for the reasons for various aspects of the policy.
You never want to leave your vital organizational information to chance at any level, so provide employees with a copy of your information retention policy, once completed. You may also conduct regular training and review sessions to keep everyone up-to-date.
Also read: 4 easy guides to data breach assessment