Many entries in this blog talk about spring cleaning, updating, and even archiving your website. But what about the data behind your website? You know, the behind-the-scenes data that keeps your site humming: customer information, sales records, marketing data, finances, and more. How long should you keep that stuff? And what about other types of information, such as paper documents?
Most medium- and large-size companies have a “data retention strategy” that lays out how long data and documents should be kept around. Smaller entities should consider such a strategy as well.
Why Data Archiving
There are several good reasons to develop and execute a data archiving strategy.
- Regulatory and tax requirements: Certain industries are subject to more stringent governmental regulations than others, and some regulations require that certain company data be retained for a number of years. For example, the U.S. Food and Drug Administration requires that medical device manufacturers keep design history information on each device that is sold, in case there is a problem that needs to be investigated. Various tax authorities may want to audit your financial records and require that you keep them for a certain period.
- Limiting legal liability: You might be thinking, “Why not just keep everything forever?” One word: Lawsuits. In a lawsuit, the attorneys for each party have the right to request and inspect the other party’s documents and records, and typically, little or nothing is off-limits. The more data you have, the more likely it is that an opponent’s attorneys will find something damaging to your case, even if it is (in your eyes) tangentially related. If you have a documented retention strategy in which you destroy old data periodically, you limit this potential. (Pro tip: The time to define and execute your data retention strategy is before you get sued, not when the attorneys are knocking on your door.)
- Security: The less data you have on hand, the less there is for hackers to steal.
- Storage space and system performance: There’s a reason that many banks limit access to customer account records online, typically for the last 12-18 months. More than that, and they would need tons more storage space available to serve the data. With all that data to search through, website performance would suffer. If you have an e-commerce site, there is usually little reason to keep customer order data available online for more than a year or two. Keep your data storage clean and lean, and your customers won’t have to wait forever for your site to respond.
Essential Elements of a Data Retention Strategy
Because different types of data may need to be retained for different periods of time, a data retention strategy usually starts by defining the different categories of data that are relevant. Is it customer data? Customer data with credit card or other sensitive information? Other financial data? Intellectual property data?
Once you have defined the types of data, you can designate a retention period for each one. For types of data whose retention periods are not defined by a law or regulation, the choice is up to you, but you should consult your accountant and attorney for specific advice.
Here are some more tips on developing and executing a data retention strategy.
- Put it in writing: Even if you’re a one-person shop, you should make a written policy of your data retention strategy, to show nosey attorneys and auditors that you don’t just destroy records willy-nilly.
- Make exceptions for active legal actions: If you’re in a lawsuit, you’ll need to keep the relevant documents and records around longer.
- Set a deadline for destroying old data: For many companies, data destruction is a year-end activity. You can follow this pattern, do it some other time of the year, or do it multiple times per year.
- Have to keep it but don’t have space? There are numerous providers who will securely store electronic and physical records off-premises. In many cases, retained data has to be “available,” meaning you can get hold of it at some point, not that it needs to be at your fingertips at all times. Off-site storage is also an important part of any business continuity and disaster recovery plan.
Perhaps the most important tip: Actually do it. Set a calendar reminder to actually go through your documents and records and get rid of the ones that meet the criteria for destruction. This can be tedious or frustrating (especially if you aren’t particularly organized), but your retention strategy is useless if you don’t have the discipline to carry it out. The first time is probably the worst, especially if you’ve been in business a long time. But once you’re past that hurdle and can keep your records organized, the periodic destruction exercise can be a snap.