Current Filter: Green>>>>>>

   

Implementing sustainable data retention policies and procedures across an organisation is a laudable goal - and sound business thinking as well. But there are technical and legislative issues that need to be considered: what is the best strategy for data retention and how long does data need to be retained? Other issues associated with a comprehensive data strategy are to consider: what are risks associated with the strategy; the sanctions for failure to comply; and/or the financial and reputational risks, which could outweigh the environmental considerations.

In a 2012 survey, 'Information Retention and e-Discovery', Symantec looked at how organisations are managing increasing volumes of electronic data. The results of the survey show that organisations are starting to pay attention to the requirements of data retention. The number of organisations without a formal information retention plan in 2012 had halved from the 2011 survey. However, in spite of this, it seems that organisations are still struggling to implement a data retention plan that matches the requirements of the business and, at the same time, fulfils the legal and regulatory requirements to which the organisation is subject.

Implementing a data retention plan is a matter of balance. Taking an all-inclusive approach and retaining too much data can be counterproductive. Retaining too much data presents additional risks, including:

??????? Spiralling costs of power and storage
??????? Financial and environmental costs of paper archives
??????? Uncontrolled data storage - particular issues include loss of a single source of the truth of the organidation's data, data retrieval complexity and effects on the speed of retrieval
??????? Cyber risk - multiple locations for sdata storage protentially increases cyber risk
??????? Increased risk over data security controls where data retention is not managed effectively.

Excessive protection for less valuable data increases licensing and data storage costs, as well as potentially overprotecting non-sensitive data. The fifth data protection principle in the UK Data Protection Act requires that "personal data processed for any purpose... shall not be kept for longer than is necessary for that purpose..." There is a risk of fines from the Information Commissioner where the data protection principles are breached, quite apart from the reputational loss that a data breach entails. Measures proposed under the new EU data protection Regulation, which could come into force around 2016, propose increased fines of up to 2% of global annual turnover.

However, as the Symantec survey revealed, there are perceived barriers to implementing and maintaining a data retention policy including:

??????? Costs associated with collection, analysis and review
??????? Time spent collecting analysing and reviewing data
??????? Increased risk in disclosure of confidential information
??????? Compromised position in potential or actual litigation.

Furthermore, different data has different data requirements and it is a time-consuming exercise to understand these requirements. For example:

??????? Accounts records - a minimum of three years for a private company
??????? PAYE records - not less than three years after the end of the tax year to which they relate
??????? Contractual documentation - at least six years following final performance (and twelve years if executed as a deed)
??????? Financial services regulated businesses have additional retention requirements, with time periods ranging from months to years
??????? Public communication providers are required by the Data Retention (EC Directive) Regulations 2009 to retain data for a period of 12 months from the date on which the information is generated.

Page   1  2