In our previous two parts of this series, we examined the history of data retention policies and the business and legal requirements that dictate what underlying issues you face when developing your data retention policy.

In part two, we took a look at the challenges that different industries face when considering what data to maintain and for how long. And even though each company has different requirements, the common thread to every data retention policy is that your data is everywhere . Encompassing all of it may be nearly impossible and while this checklist is not exhaustive, it’s a great foundation to any data retention policy. Paired with an advanced data backup system, you’ll rest easy knowing your critical information is safe and easily recoverable.

In this final installment, we provide a data retention policy checklist

To get started, assess what you have. Your business has many types of data that you will want to consider within your data retention policy:data-retention-policy3

  • Financial data
  • Databases
  • Email
  • Documents
  • Pictures / videos
  • Production data
  • System state information

Furthermore, the location of the data must be considered. You may actually create a different DRP for each one, depending on what you keep where.

  • Servers – what is stored on your server?
  • Databases –what is stored there and how do the legal and business requirements dictate what you need to maintain and for how long?
  • Desktops – do you need to backup files that are saved on desktops? And if so, how long do you need them? Typically desktop files are not retained as long as server data.
  • Email – The content of the data must be evaluated
  • What is in your emails? Many companies may feel that email is unimportant to core business, but others may use email as an integral part of their order processing or customer service functions. Take the case of a freight forwarder for example, where almost every email has a document attached with key business information. That freight forwarder’s exchange server is, therefore, huge and critically important to back up. In this case, the freight forwarder may have customers that contact them years later looking for items that were to be forwarded to a particular location. For them, email is imperative to backup. Your business may have a similar communications issue.
  • Recovery – how will your business recover its data from a potential problem or data loss? How long can you survive without your data before your business practice will be impacted? Take a reality check of your data retention policy and ask:
    • Would it provide the necessary recovery?
    • Would it restore in the time frame and as you needed? Test it!

Frequency – Is there a danger of data loss, do you need to backup your data more frequently than once per day, and how long do you keep your data?

– An example of the frequency of a retention policy would be:

    • Retain every daily backup for 10 days
    • Retain every weekly backup for 6 weeks
    • Retain every monthly backup for 14 months
    • Retain every year-end backup for 7 years

Evaluating the soundness of your data retention policy begins with asking your executive staff, is this right, is it sufficient, and is it cost effective? There is a balance you’ll need to achieve between cost to maintain data and the legal requirements that your company is subject to. Furthermore, brainstorm the “what-if’s” scenarios and determine what data would be needed to recover properly:

  • What if we had a partial data loss of data such as a server failure
  • What if we had a complete data loss such as a premises disaster
  • What if we had widespread corruption of data from a virus
  • What if we suffered a data loss from deliberate sabotage
  • What if we accidentally destroyed important data
  • What if we need to go back in time for data for:
    • A tax audit
    • A labor law compliance audit
    • A product liability lawsuit
    • An employment practices claim
    • An employee tort such as a sexual harassment claim

Finally, on your checklist, make sure there are no “islands of data” outside the policy –

  • Laptops
  • Desktops
  • Remote offices

There is no one size fits all for a data retention policy. Each company has its unique needs, cost parameters and legal requirements that will dictate what is essential and mandatory to maintain the business in the event of a disaster or data loss. Start with the checklist above and add to it to fit your individual business and legal requirements.

Related Data Retention posts: