From my previous post, you already know several key features you need in your data archiving software. But what about data archiving policies? While I don’t have enough space here to delineate best practices for designing a data archiving policy, I can touch on one of the most important considerations when developing that policy. That issue is compliance, a word that no doubt you’ve heard frequently over the last several years.
In a nutshell, compliance means the need to conform to given rules. Those rules may be:
- Regulatory, where a need exists to adhere to certain laws, such as Sarbanes-Oxley or HIPAA
- Standards or specifications, where a need exists to adhere to specific standards, such as ISO (International Organization for Standardization) or PCI (Payment Card Industry) security standards.
- Legal, where a need exists to hold onto data for e-discovery or other investigative reasons
Depending on your business, you may have to consider one or all of these possibilities. For example, the medical and financial industries are more highly regulated than a Jiffy Lube franchise. However, Jiffy Lube is subject to certain standards like PCI, among others, and must be prepared for any sort of legal action against the franchise and company as a whole.
- What data to keep
- How long data must be kept
- When to delete archived data
First off, your data archives don’t need many of the files you would want to keep for BDR purposes. For example, you don’t need to save such temporary records as log files or drafts of a document. Once you’ve determined what data you do need to keep, you need to find out how long that data needs to be held. For example, the IRS expects you to hold onto tax-related documents and filings for seven years.
Finally, when is it time to delete archived data? If you’re like me, your first thought may be, Never! After all, cloud backup services are cheap, costing as little as a penny per GB (and destined to drop even further). However, holding onto data past its expiration date may turn problematic, particularly in legal situations.
Brien Posey of TechTarget, quoted in my previous post, describes why holding onto data indefinitely is a potentially harmful approach:
Federal regulations require certain data to be retained so that it can be analyzed in the event an organization is accused of some wrongdoing. Many litigation experts who represent companies undergoing e-discovery requests say that preserving data beyond what is required by law can lead to trouble. For starters, it often means more money is spent sifting through more data. In addition, more data can mean more vulnerability.
Therefore, you need to include a data destruction policy that formally documents and confirms the process used to destroy data and, if applicable, the media it’s housed on. Paul Kirvan of TechTarget explains why:
Most current legislation that requires data management policies and procedures also requires that there is formal documentation of all data retention and destruction activities. It also provides evidence to the court that the data in question does not exist.
Again, this post is meant to get you thinking about compliance; however, it’s by no means comprehensive. If you have other suggestions about this topic, please share them in the comments or on Twitter!