What to do with all of that data: Retention best practices
Data and corporate information are the lifeblood of your clients’ business—there’s no denying their importance. Today, organizations across all industries are tasked with ensuring that data is protected, retained, and accessible when needed, yet many lack the appropriate archiving and retention policies.
As an MSP, it’s your job to be your clients' strategic advisor and help them understand exactly what their retention requirements are for various business needs and data types. So, in honor of spring cleaning season, we’re providing you with best practices to help you tidy up your clients’ IT environment and implement retention policies for more secure, accessible data.
When establishing data retention policies for your clients, here are some key points you should consider. Remember that not all data is created equal—the first step in establishing appropriate retention policies for your clients is to determine which data actually needs to be archived, and for how long.
Step 1: Classification
To strike a balance between what’s optimal for your clients’ business needs vs. cost effectiveness, ask these questions before classifying or deleting data.
- Is the information in question critical for the clients’ business operations?
- Would the information be considered a permanent document of any kind?
- Is the data considered proprietary intellectual property?
- Is the data required for fulfilling any business service level agreements (SLAs)?
- Does the data reflect current, legitimate and useful business information or needs?
Data that fits none of these criteria may be suitable for deletion.
Most data is generally retained for twelve months, with a very small percentage needing to be retained after that time period. Assess value and risk before deleting anything, and take into account cost and storage requirements when choosing to keep anything else. There should be no arbitrary or ambiguous data—everything must be accounted for.
Step 2: Compliance
There is a hierarchy to follow when determining which data must be stored. Ensure data retention policies align with any of the following compliance or regulatory restrictions:
Whether it’s HIPAA, FINRA, PCI, or other regulatory concerns, know your customers’ verticals, and know the law. What data must be kept (and for how long) can vary significantly from one industry to the next.
Retain any and all data that could be subject to legal discovery or would be needed in legal action should it arise. Pro Tip: If you need a long-term storage solution for less time-critical data, you can leverage Archive, a cost-effective extension of Continuum BDR.
Step 3: Deletion
Once you’ve identified data that no longer serves any useful purpose, there’s more to do than simply emptying the desktop recycle bin. Set expiration dates for ALL client data when establishing retention policies (unless it is designated to be retained in perpetuity). When data has exceeded the retention limits, it should be deleted immediately.
Finally, data that is retained must be data that is accessible. Choose a fast and searchable archival method to access data and determine what frequently-used data (if any) should be kept “live” outside of archival applications.