NovaBACKUP Security Blog

Data Retention Best Practices

Data-Protection-Best-Practices Data grows at an astronomical rate and if not properly managed, can cost your company a hefty price tag in terms of storage, management, and liability. Understanding what type of data you are collecting, how frequently it is being accessed, and how long you must keep your retention data, are the basic elements of knowledge required to develop a data retention strategy for your business. Data that contains private customer information (such as PHI) may require special treatment when it comes to retention. And while data protection laws often dictate what data must be kept and for how long, they also often require businesses to remove specific data called retention data, after a certain period of time. These basic housekeeping steps to determine legal requirements as well as practical business needs, will help form the foundation of your data retention strategy.
Preparatory steps:

  1. Classify your data into types
  2. Determine what data is private / contains personally-identifying information
  3. Understand your legal requirements (HIPAA, PCI DSS, GDPR, CCPA, FERPA, etc.)

What is Data Retention?

Data retention refers to your company's policy regarding how long retention data will be stored and/or archived as well as removed when no longer required, to meet legal, operational, and regulatory compliance.

Today, it is important for organizations to remember to not store data longer than what is required. According to the Information Systems Audit and Control Association (ISACA) journal written by Lorrie Luellig, J.D., and Jake Frazier from IBM, “A lack of insight into what information needs to be kept, has led many organizations to accumulate mountains of electronically generated debris in the form of excess applications, servers, storage and backup tapes that no longer have any utility.”

69% of Data Collected Has Little or No Value

According to a recent IDC report, the amount of data stored globally is doubling every four years. It is expected to reach 8.9 ZB by 2024.  Yet a surprisingly small percentage of this data is considered business critical. The exponential growth of data collection has created a problem as a vast majority of data (dubbed "dark data") sits unused. It's generally unseen by users as it may be unstructured and disorganized. It may create unnecessary costs in terms of resources that could be better focused in more important areas. In a survey of corporate CIOs and general counsels conducted at the Compliance, Governance and Oversight Council (CGOC)1 summit, it was found that 69 percent of all the data collected and maintained by most organizations had no business, legal, or regulatory value at all.

While regulatory compliance is often cited as the reason for dark data, the truth is that an overabundance of dark data may be caused by data mismanagement, poor communication, or a data-hoarding mindset. Dark data also represents risks beyond just unnecessary costs. With new data regulations appearing (GDPR, CCPA, etc), the need to remove specific data over time is also necessary to maintain compliance.

Implementing Data Retention Best Practices

So it's time to get a handle on this "dark data". Understanding what your organization is working with through mapping and classification of your retention data is the first step. Classifying the data that you are collecting is a matter of law (GDPR). It's wise to compare the legal regulations that you are required to uphold to understand their similarities and differences. Your classified data sets can then be assigned a risk level, and through the identification of your minimal requirements, a policy for this data can be created.

Data Retention Schedule

To purge redundant, and identify irrelevant data, we must have a data retention strategy. It's time to define what retention data will be retained for how long, and at what point it will be removed. This policy directly affects your backup jobs and must be supported in the features of your backup solution.

  • Assemble your Data Retention Team
  • Determine and Communicate Your Policy
  • Revisit the Policy Regularly for Changes

NovaBACKUP makes it easy to implement your data retention policy through our backup software solutions. You can set up a custom data retention schedule so that only necessary backup data is stored. As every business is different, software flexibility to fine-tune adjustments is important. You can select how many valid backups to keep and for how long. Select what types of backups you wish to retain (file backups, image backups, incremental and differential backups). A few good rules of thumb to follow regarding your data retention include:

  • Keep your policy as simple and easily explainable as possible
  • Cater your policy to legal regulatory requirements
  • Keep personal customer data for no longer than necessary
  • Move critical data to fast, accessible storage

To defend against cyber threats like ransomware, multiple copies of data are often required. Using NovaBACKUP's data retention functionality gives backup administrators direct control over what backup data is retained and for how long. You can meet your business, financial, legal, and regulatory needs for data retention with fast, efficient software and a few good policies. Speak to one of our backup experts today to assist with your data retention strategy.


1Lorrie Luellig, J.D., and Jake Frazier, J.D.  "A COBIT Approach to Regulatory Compliance and Defensible Disposal." ISACA JOURNAL, VOLUME 5, 2013. Web. 26 SEP. 2014.