Data is THE foundation of every business in some form. Protecting that data is key to maintaining operations, being compliant with laws and regulations, or simply making efficient use of resources long-term. Depending on the type of business and data you have, different requirements may exist to define what types of data must/should be kept and for how long. Data retention policies exist for this reason and have changed over time as technologies for data protection and archival improve.
It is important to note that data retention can also refer to how long personal information from using electronic communications is retained and what is done with that information (such as GDPR), but this article focuses on long-term retention of data for business continuity or regulatory purposes.
The article includes:
How do backups work with a data retention policy?
The basic principle for retaining and archiving data is to keep data from specific points in time for longer than other versions–usually weekly, monthly, and yearly. When tape media was the prevalent method for backup storage, a common practice was to run full backups periodically to match those point-in-time requirements and then set those tapes aside to serve as immutable weekly, monthly, and yearly backups until the retention period expired. The tapes were returned to the rotation and overwritten. While many versions of rotations exist, primarily to make the best use of the available media, one of the most commonly used practices is GFS, or grandfather-father-son retention. The idea behind these policies is to reduce storage or media usage by not storing data for too long, which can be expensive while maintaining enough data retention to meet company or legal requirements.
With disk-based backup storage, it is crucial to preserve available disk space. GFS can help with this by specifying how long the weekly (son), monthly (father), and yearly (grandfather) backups are kept. Modern backup software will do all of this automatically once configured and will keep each type for the specified amount of time before either permanently archiving or deleting them. Another method for archiving data is to send the data to a cloud backup provider, providing for worry-free, yet accessible from any location, data protection. In addition to preserving local storage space, sending backups to a cloud provider satisfies the 3-2-1 rule for backups, getting a copy of the data offsite.
What data do I need to keep and for how long?
There is no quick answer to this question. How long you should keep data depends upon where your business operates, financial or governmental requirements, and the nature of your business. As a general practice of cloud data management, you should identify locations of all workloads, define the value and types of data with a business impact analysis, and determine the retention policies for each. Since these retention policies can be granularly specified in your data protection software, it is possible to meet specific business needs without a blanket approach.
For example, if you are in the medical profession, retention requirements differ by state and also by whether you are a doctor’s office or a hospital, and are specific to adults and minors https://www.healthit.gov/sites/default/files/appa7-1.pdf
The Code of Federal Regulations contains retention requirements for records you may reference if needed.
Examples of Data Retention Policies
Once you determine the types of retention required based on your business or federal regulations, it is time to configure the backup, deletion, or archival of documents based on these requirements. The most common method of long-term retention is through backups. Here, we will look at a simple, fictitious example of HR payroll systems and records which will be kept for 7 years.
- Retention: Daily – 31, Weekly – 52.
o Full backups run on Saturdays, with forward incremental backup jobs running daily. GFS retention policies flag the weekly backup as a “weekly”, preventing deletion or modification.
o Daily backups automatically deleted on a rolling basis on the 32nd day. Since the weekly backups are flagged as GFS, they will be untouched until the 53rd rolling week. After the 52nd week, the GFS flag is removed, and normal retention actions return.
- Retention: 12
o Since weekly full backups run on Saturdays, the last weekly backup of the month is also assigned a monthly GFS flag. For month 13, the earliest backup’s GFS flag is moved, and the backup is deleted while a new, monthly backup is created.
- Retention: 7
o Yearly full backups are flagged as such during the last full weekly backup of the year. They will contain weekly, monthly, and yearly GFS flags, with the highest tier applying first. The file system will only recognize the yearly GFS flag. The rolling flag removal applies again in year 8.
This is a basic example of a seven-year retention that will keep data for a minimum period and automatically free space on backup storage.