Imagine for a moment that you have three doors in front of you containing the data your clients have backed up. Behind door number one lies a complicated clutter of data, various files, and unidentifiable information. Behind door number two you have a data desert, with little or no available information. Finally, behind door number three is a perfectly organized system of saving exactly what is needed and disposing of what isn’t. I’m guessing if you had the choice, you’d probably choose door number three, but unfortunately most businesses get stuck with doors one and two.
The challenge surrounding data retention today is that most businesses don’t have appropriate archiving and retention policies in place. As an MSP, this means you can be your clients' strategic advisor and help them understand exactly what their retention requirements are for various business needs and data types. Get started, and use these tips to help ensure your clients’ data is secure, replicated and accessible when needed.
When establishing data retention policies for your clients, here are some key points you should consider. Remember that not all data is created equal – the first step in establishing appropriate retention policies for your clients is to determine which data actually needs to be archived, and for how long.
Step 1: Classification
To strike a balance between what’s optimal for your clients’ business needs vs. cost effectiveness, ask these questions before classifying or deleting data.
- Is the information in question critical for the clients’ business operations?
- Would the information be considered a permanent document of any kind?
- Is the data considered proprietary intellectual property?
- Is the data required for fulfilling any business service level agreements (SLAs)?
- Does the data reflect current, legitimate and useful business information or needs?
Data that fits none of these criteria may be suitable for deletion.
Most data is generally retained for twelve months, with a very small percentage needing to be retained after that time period. Assess value and risk before deleting anything, and take into account cost and storage requirements when choosing to keep anything else. There should be no arbitrary or ambiguous data – everything must be accounted for.
Step 2: Compliance
There is a hierarchy to follow when determining which data must be stored. Ensure data retention policies align with any of the following compliance or regulatory restrictions:
Regulatory compliance — whether it’s HIPAA, FINRA, PCI, or other regulatory concerns, know your customers’ verticals, and know the law. What data must be kept (and for how long) can vary significantly from one industry to the next.
Legal concerns — retain any and all data that could be subject to legal discovery or would be needed in legal action should it arise.
Step 3: Deletion
Once you’ve identified data that no longer serves any useful purpose, there’s more to do than simply emptying the desktop recycle bin. Set expiration dates for ALL client data when establishing retention policies (unless it is designated to be retained in perpetuity). When data has exceeded the retention limits, it should be deleted immediately.
Finally, data that is retained must be data that is accessible. Choose a fast and searchable archival method to access data and determine what frequently-used data (if any) should be kept “live” outside of archival applications.