Tons of data goes into the cloud or SaaS platforms like Salesforce every day. Often, this data is most relevant right after it enters your system. For example, when people or systems create new leads or support cases, your sales or service team follows up immediately. However, over time data has an expiration date, after which it becomes less valuable to your business. You may need to delete data from your production environment, or eventually, from your archives.
With thousands of records entering and leaving your Salesforce platform every day, it’s critical to have an official data retention policy documented.
Most companies don’t have a data retention policy. Instead, they keep ALL data, making it more likely that they’ll:
So where do you start? Your data retention policy should look holistically at all of the data entering your Salesforce instance. Pay attention to what kind of data you're retaining, the data’s sensitivity level, and regulations that may specify the minimum or maximum retention periods. After categorizing each object, you'll need to define when to reduce access to that data by deleting it entirely and when to move the data to your archives. Let's dive deeper into each step of the process.
1. Identify Key Stakeholders
Before defining and implementing your data retention policy, make sure you identify and communicate with people in the impacted departments.
Even though compliance, risk, legal, and accounting are often in charge of data retention policies, these policies could also impact Salesforce users across the organization, including the data management team, customer service, sales, etc. Read more about specific use cases here or watch the video above.
2. Determine Applicable Regulations
Specific local, state, federal, international, or industry-imposed regulations, such as GPDR, CCPA, HIPAA, and SEC 17a-4, have data retention requirements. Hopefully, your compliance, risk, and legal departments have already set retention policies for sensitive data that align with the applicable rules. Double-check with each of these departments to ensure your Salesforce platform complies to avoid civil, criminal, or financial penalties.
Note: You'll also need to establish a Salesforce backup retention policy to remain compliant with these regulations. Maintaining a schedule of removal will likely require an automated backup solution.
3. Catalogue Your Data
To catalog your data, you'll need to get together with the stakeholders familiar with your Salesforce org to map out the data within your orgs. Below is a simple example. This catalog will be a precursor to a broader discussion with decision-makers in your company.
For example, a software company may store customer contact information, which they consider low sensitivity and use for sales, marketing, support, and billing.
4. Make Decisions
You’ll need to involve company decision-makers to create the appropriate policies. Here are the questions to ask those decision-makers as you review the Salesforce data catalog designed in step 3.
5. Document Policies and Actions
Document a retention query/statement for each set of objects/records. Let’s revisit our software company example in step 3. If you defined that customer contacts need to be archived four years after their last purchase, you’d need to create a query of your contact object/customer contacts where the previous purchase date was four years ago.
Access to archives depends on your business drivers. If you're keeping the data in an archive for regulatory or internal policy reasons, you should limit access to those who need it for regulatory or auditing purposes. For companies archiving to reduce storage costs or clutter, you may want users to have more access to the data. How you implement your data retention policy will depend on which business driver is essential to your organization.
6. Implement Your Policy
Now that you’ve documented specific policies for each set of objects/records, you can create the technical documentation that includes a process for executing the queries to delete/archive the records from Salesforce. The process specifics will depend significantly on the archiving tool you’re using. Implementing your Salesforce data retention policy can turn into a significant project without the right archiving solution.Available archiving for Salesforce are as follows.
Manual archiving: In that case, you'll need to send calendar invites out to the right people to remind them to log in to Salesforce periodically to execute these queries and ensure that the data is either being deleted altogether or deleted from production and moved to a lower tier. During this process, your data may be insecure, especially without encryption in transit and at rest. You'll also need some communication with stakeholders to know who to contact if they need access to archived data.
Build your own in-house archiving solution: Depending on your requirements and development resources, building your own archiving solution poses many technical challenges. Creating a custom solution that exists within and interfaces with Salesforce will require continuous maintenance and enhancement. Salesforce has three major releases per year and frequently updates API specifications. Again, your data may be insecure with a manual archiving strategy, especially without encryption in transit and at rest.
OwnBackup Archiver: As a Salesforce AppExchange partner, OwnBackup Archiver can you time, money, and development resources. With a complete archiving solution, your Admins can quickly setup archiving policies, allowing your company to free up storage and stay in compliance easily. OwnBackup’s pre-built Archiver solution meets all of an organization’s functional, technical, security, and compliance requirements out-of-the-box.