Glossary Terms
What is a data retention policy?
A data retention policy outlines the processes taken by an organization to store information they collect, to govern when the company disposes of collected information, and to document what kinds of information are collected. This policy should be based on official regulations with which the organization is meant to comply. A simplified version of this policy should be made available for customers and partners to read.
Why is it a good idea to document a data retention policy?
Government regulation around digital privacy, such as the European Union’s GDPR and California’s CCPA, have created additional compliance requirements on businesses collecting digital data. This has placed issues of data collection and retention at the top of customers’ minds as well. Customers are increasingly aware of the fact that their data is collected by the entities they do business with, and that this data is held by the entities in question and may be used for certain purposes.
To encourage and promote a relationship of trust with customers, provide easy access to your data retention policy on your website and upon request. The customer can read the policy and make an informed decision about whether to do business with you, as well as provide feedback and voice their concerns. Company employees should be aware of the policy and use its guidance to inform how they handle entrusted data to avoid potential problems including legal action.
What should a data retention policy include?
A data retention policy should include at least the following points:
- What type of data is collected (files, usernames, birthdates, etc.)?
- What is the scope of collection (whose data is stored and when)?
- Where is this data stored? Is data being backed up regularly?
- For how long is the stored data retained?
- When and how is the data destroyed; how to handle deletion requests.
Best Practices for maintaining a data retention policy
A data retention policy will likely be required to comply with regulations. However, it is also a good educational tool. You can supply employees with the policy to outline their responsibilities with customer data. Customers can read a version of your policy to ease their concerns over data privacy and illustrate your commitment to their security.
There should be an internal version of the policy with more details for employees to follow. Particularly, who (specific employees, contractors, or vendors) can access what data, according to the principle of least privilege, is an important detail to add to a long-form internal policy. There should also be an external version intended for customers, where they can quickly get a grasp of the important details. Test your employees on their knowledge of their responsibilities toward customer data to ensure that everyone understands what is necessary to comply with regulations and meet needs.
Stay up-to-date on new technologies and regulations to ensure your data privacy policy reflects these changes. One emerging customer concern is the use of their data for training AI tools, for example. Making sure you are clear with your customers and employees about how your customer data may or may not be used for scraping is an important consideration. As new technologies and innovations develop, the landscape of data retention may change with it and require auditing the policy.
To learn more about data retention and business data backup best practices, review our other glossary terms that describe the evolving ecosystem of data resiliency.
We’ve got your back(up)
Find the perfect data backup and recovery solution with our plan comparison. Kick-start your journey with a free trial.
CrashPlan® provides peace of mind through secure, scalable, and straightforward endpoint data backup. We help organizations recover from any worst-case scenario, whether it is a disaster, simple human error, a stolen laptop, ransomware or an as-of-yet undiscovered calamity.
- Resources
© 2024 CrashPlan® All rights reserved.
Privacy | Legal | Cookie Notice | Free Trial