Tons of data goes into SaaS platforms like Salesforce every day. Over time, this data will naturally become less valuable to your business and need to be deleted from your production environment, or eventually, from your archives.
That’s why, with thousands of records entering and leaving your system every day, it’s critical to have an official data retention policy documented.
What is data retention, and why is it important?
Data retention refers to the management of data once it is logged on an application or system. A data retention policy helps a company determine what information needs to be stored, where to house it and how long to save it. Once the data runs its course, the company can delete it or transfer it to a separate archival site.
A well-defined data retention strategy can help your organization in several ways, such as:
- Regulatory compliance: A policy helps you abide by government and industry laws to avoid civil, criminal and economic consequences.
- Lowered costs: By eliminating the need to search for data across multiple locations, your policy can mitigate productivity costs.
- Easier data deletion: A policy indicates areas with removable data, improving your ability to pinpoint pertinent information.
- Improved efficiency: Preventing your business from storing data longer than required helps free up space for new information and increase speed.
- Streamlined management: A clear strategy helps ensure all employees know how to handle data properly.
- Comprehensive storage: A policy allows you to control complex datasets that span across various departments and systems with ease.
What steps should your data retention policies include?
Your data retention policy should look holistically at all of the data entering your SaaS platform. Pay attention to what kind of data you're retaining, the data’s sensitivity level, and regulations that may specify the minimum or maximum retention periods. After categorizing each object, you'll need to define when to reduce access to that data by deleting it entirely and when to move the data to your archives. Let's dive deeper into each step of the process.
2. Determine Applicable Regulations
Specific local, state, federal, international, or industry-imposed regulations, such as GPDR, LGPD, CCPA, HIPAA, and SEC 17a-4, have data retention requirements. Hopefully, your compliance, risk, and legal departments have already set retention policies for sensitive data that align with the applicable rules. Double-check with each of these departments to ensure you comply to avoid civil, criminal, or financial penalties.
Note: You'll also need to establish a backup retention policy to remain compliant with these regulations. Maintaining a schedule of removal will likely require an automated backup solution
3. Catalogue Your Data
To catalog your data, you'll need to get together with the stakeholders familiar with your org to map out the data within your orgs. Below is a simple example. This catalog will be a precursor to a broader discussion with decision-makers in your company.
For example, a software company may store customer contact information, which they consider low sensitivity and use for sales, marketing, support, and billing
4. Make Decisions
You’ll need to involve company decision-makers to create the appropriate policies. Here are the questions to ask those decision-makers as you review the data catalog designed in step three.
- Should you even be storing so much historical data in the first place?
- Are there any restrictions on the retention period?
- In what scenario might you need to access the archived data?
- Who might need access to the data once it's archived?
- Is lead, prospect, or customer data covered under legal, regulatory, or other obligations?
- Do you need to keep the data?
- What about the related data?
5. Document Policies and Actions
After you decide how long to retain each object/record in step four, you’ll need to apply the documented policies. Your organization’s privacy policy or terms and conditions may drive a significant portion of this. Below are some straightforward examples.
Document a retention query/statement for each set of objects/records. Let’s revisit our software company example in step three. If you defined that customer contacts need to be archived four years after their last purchase, you’d need to create a query of your contact object/customer contacts where the previous purchase date was four years ago.
Access to archives depends on your business drivers. If you're keeping the data in an archive for regulatory or internal policy reasons, you should limit access to those who need it for regulatory or auditing purposes. For companies archiving to reduce storage costs or clutter, you may want users to have more access to the data. How you implement your data retention policy will depend on which business driver is essential to your organization.
6. Implement Your Policy
Now that you’ve documented specific policies for each set of objects/records, you can create the technical documentation that includes a process for executing the queries to delete/archive the records. The process specifics will depend significantly on the archiving tool you’re using. Implementing your data retention policy can turn into a significant project without the right archiving solution.
Customize data retention policies with Own Archive
Own Archive includes 99 years of retention and allows customers to create custom data retention policies that include specific data to be archived, how frequently data archiving activities occur, and how long archived data is retained. Once policies are configured, Archive removes specified records and attachments from production and securely stores immutable replicas to the cloud without changing the integrity of data relationships.
Contact us today to learn more about how Own Archive can help you create a more robust data retention policy.
