data storage limitless data retention policy

Why you need a data retention policy

As data storage options have exploded, storage capacities seem limitless. But just because you can keep all your data doesn’t mean you should. According to Forbes, 2.5 quintillion bytes of data are created every day, with 90% of all data in the world having been created in the last two years alone.

That’s a lot of data.

But knowing what to keep and what to delete can be hard. We talked to information governance lawyer Peter Sloan with the Information Governance Group about data security and why you need a data retention policy. Check out Sloan’s answers to our data retention questions below.

Why shouldn’t I keep data forever?

The raw cost of data storage continues to fall, and it does seem cheap.  But the true cost of unnecessarily retaining data can be immense.  First, there’s the hard cost of maintaining the data storage – costs of IT staff, hardware and software maintenance, and whether data is stored on-premises or in the cloud.

Next, there are the business inefficiencies in personnel struggling to find the right data, at the right time.  On top of that, there are the exposures of litigation, in which relevant data must be preserved on legal hold, then collected, and then reviewed by lawyers – I’m not talking about bad content, but instead the volume cost of dealing with immense troves of unnecessary data in litigation.

And of course there are data security exposures as well – the unnecessary data may include confidential or protected information that, if hacked, can cause huge cost and exposure in breach response.

Related: A beginner’s guide to data security

How do I know what to delete and what to keep?

First, stop viewing digital data as something mysterious – it’s simply information, for which there should be management rules.  Business information should be managed, just like business finances, people, and property.

Second, the rules on how data will be retained, secured, managed, and ultimately disposed of should be driven by the content and context of the data, based upon compliance, risk, and value.

It’s best to be guided by three key questions:

  1. How long are we legally required to keep this information?
  2. How long is this information valuable to our business?
  3. What are the costs and risks if we keep this information longer than it is legally required or business valuable?

If the data is not legally required or business valuable, a relatively short retention period is the best way to go.

How do I create a data retention policy?

Data management, including data retention, is an ongoing business process, not simply a “one and done” project. It’s important that business leadership supports the effort. Also, someone must take responsibility for implementing and managing the effort, to keep it on track.

Outside counsel is invaluable for identifying the legal requirements and advising on how they apply to the business.  Your IT team must be involved for implementation. And the various business functions should also have a seat at the table, to provide input and better ensure successful implementation.

Decide on rules that keep it for as long as the information type is required by law or is business-valuable, and then, absent a need to preserve it for pending litigation, dispose of it once it’s neither legally required nor truly valuable.

Last, set your rules in a data retention schedule, and follow them.