Data Archiving

Should it Stay or Should it Go? Salesforce Data Retention for Regulatory Compliance

Matthew Hutchison
VP Product Marketing
June 4, 2020

Whether it’s from a form on your website, via an integration, at an event, or from a legacy system, a ton of data goes into Salesforce every day. In fact, 3 million sales opportunities and 3.2 million leads are created in Sales Cloud every day

This data, not surprisingly, is most relevant right after it enters Salesforce. For example, when new leads, contacts, or support cases are added to Salesforce, you typically follow up on them right away. As time goes on though, this data becomes less and less valuable. For Salesforce admins dealing with data storage limits and slow load times, records that aren’t used for day-to-day operations are prime candidates for deletion. 

However, when it comes to managing Salesforce data, there’s more to consider than just storage space and system productivity. Regulatory requirements require companies to retain data for a certain amount of time, which varies based on the regulation.

Let’s take a closer look at the various regulations and their specific data retention requirements, as well as a way to simplify your data retention policy management strategy in Salesforce. 

Which Regulations Have Data Retention Requirements?

Organizations, and specifically CIOs, CISOs, and General Counsel, are being challenged to keep up with an ever-growing list of geographic and industry regulations. This often involves how they manage company data that is no longer actively used and rules for governing how long data must be retained. 

At present, over 80 countries have relevant governance rules in place. While some industry regulations such as SEC 17a-4HIPAA, and CFR Part 11 require that data be retained and accessible for extended periods of time, other regulations like GDPR and CCPA require companies to do just the opposite. 

CCPA and GDPR don’t place specific time limits on data retention, but do recommend minimizing the amount of data retained to what’s absolutely necessary. To help determine whether data should be retained, companies should ask themselves the following questions:

  1. Are we under any regulatory requirements, such as SEC or HIPAA requiring a specified period of time for data retention?
  2. Do we have a specific legal or contractual reason for keeping the data?
  3. Was the data collected for specified, explicit, and legitimate purposes?
  4. Are we only keeping data that is adequate, relevant, and necessary to perform the service?
  5. Is the data being kept longer than is necessary, for example, longer than the length of the contract?
  6. Is the data processed in a manner that ensures appropriate security?

If you answered “no” to any of the above, you will need to have a clear rationale documented as to why the data is being retained. To keep this data, your company must agree that the value of your processing activities outweighs the liability of retaining and securing the data.

Creating Your Salesforce Data Retention Policies

While regulatory requirements may not always be clear as glass, one thing is: This fluid environment highlights the need for customized data retention policies within your backups, as well as your live Salesforce environment. 


Configure customized retention in your backup solution.

Once you have determined the minimum amount of time your business processes require the data, consider how to ensure your backup solution is able to meet your customized retention policies.

You can use OwnBackup to find where personal data is located throughout your backup and which attachments it may also be within. Whether you determine that you need to keep data for three days, three months, or three years, OwnBackup allows your admins the flexibility to implement a customized retention schedule.

OwnBackup not only allows its customers to meet their complex, customized retention periods, we are also data partners with them in fulfilling their regulatory obligations. OwnBackup helps its customers meet Data Subject rights, such as Right to Rectification, Right to Erasure, and Right to Data Portability, as it applies to personal data within backups.


OwnBackup Archiver simplifies data retention with robust archiving policies.

Now that you’ve set up a retention policy within your backups, what about data in your live environment that’s no longer needed on a day-to-day basis? That’s where OwnBackup Archiver comes in. 

With Archiver, it’s easy to define, automate, and manage custom data retention policies that include specific data to be archived, how frequently data archiving activities occur, and how long archived data is retained. Once policies are configured, Archiver removes specified records and attachments from production and securely stores immutable replicas to the cloud without changing the integrity of data relationships.

These automations are especially valuable for complying with regulations like GDPR and CCPA. Instead of having to remember to delete individual records one by one, Archiver allows admins to schedule data to be deleted in bulk that is no longer needed after a certain period of time.

Watch this short video below to see how easy it is to set up a custom retention policy in Archiver.

Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.
You may also like
© Copyright 2021 OwnBackup.
Copy link