Data Retention Versus Data Backups

Data can be as much of a problem as it is a benefit. Developing a comprehensive data management plan for your organization can help you avoid risk while harnessing the insights and efficiencies available to you through proper analysis and use of your data.

What is Data Retention?

Data retention is the process by which a business decides when it is the appropriate time to delete any given piece of information. Some data, such as corporate bylaws and legal documents, may need to be retained indefinitely. However, other data may need to be removed from business systems sooner for reasons of cost containment, limitation of liability and maintaining sane operations for your business.

Avoiding “data clutter” can be just as important as maintaining a comprehensive data set. Your business needs to consider this fact carefully when implementing a data retention policy.

Developing a proper data retention plan starts with an inventory of your corporate data sets, followed by defining appropriate categories for that data based on the earliest appropriate time that the data can be deleted. This process is a lengthy one and can often be seen as overly bureaucratic, but don’t be discouraged! Proper data management will prove to be a benefit in the long term both legally and operationally.

What are Data Backups?

The purpose of data backups is to prevent failures in your data retention plan. Commonly a data backup will be used to:

  • Restore a document which was accidentally or improperly deleted by an employee
  • Restore a document which was corrupted or damaged due to a hardware or software failure
  • Restore a document which was corrupted or stolen by a malicious party or hacker (e.g. randsomware)
Recovery Point Objective (RPO) – A schedule or retention cycle for backups indicating at which points in time a document or piece of data may be recovered from. (E.g. Once per night, every night, for up to 30 days in the past.)
Recovery Time Objective (RTO) – Backup systems are usually designed for mass storage and not for operational performance, as such recovering data from a backup set can take an extended amount of time. A Recovery Time Objective indicates how quickly a piece of data must be made available from a backup data set.

Risks

  • Retention – developing an effective data retention plan and implementing it faithfully is important in limiting your cost and risk in the case of legal discovery.
  • Backups – developing effective RTO’s and RPO’s will limit or prevent accidental deletion or loss due to ransomware.
  • Disaster Resilience – developing a plan to ensure a copy of your data is safely stored in a location where a disaster or other event cannot harm it.
  • Fidelity – how can you be assured that your data has not been tampered with?
  • Concurrency and Planning – many organizations struggle to maintain disparate data sets across their geographically separated offices and teams

A Common Misconception

There is a common misconception that your data backup plan is also your data retention plan. This approach is not accurate and can lead to some very negative unintended consequences for your business.

Many times, when asked to define their data retention plan an Office Manager, IT Manager or Business Owner will respond that “we take backups every night.” Sometimes they even tout extended retention of backup data for many years.

An improperly aligned data backup plan, which keeps backup data sets on extended retention for long periods of time, can increase your liability and cost in the event of a legal discovery action against your business. Even if you have deleted a record, if it still exists in your backup data sets, it is discoverable.

Moreover, if you do not define when it is the appropriate time to delete a document and carry out that policy accurately, you can be subject to fines and other legal penalties. You never want your business to be accused of holding a “shred party” prior to a legal action. You need to protect your business and reputation with an appropriate, well considered and fully implemented data retention plan.

Be careful! It is important to know that your longest RPO is also your shortest data retention period.

Defining a Data Retention and Data Backup Plan is not an easy nor trivial task for most businesses. However, it is an important step to take as you continue to grow your business and structure for the future.