Data retention- key to compliance and joy?

If you're a business leader drowning in a sea of information, the answer might be a resounding "no."? Just like a cluttered closet, overflowing data can be transformed with the magic of data retention. Imagine a world where your data is organized, sparking joy and efficiency. Ok...maybe just not a regulatory eyesore??

This blog series is your Marie Kondo for data retention, guiding you through the process of tidying up your data assets.?

We'll help you:

• Spark Joy: Identify the data that truly serves your business and discard the rest.
• Fold with Care: Organize your remaining data efficiently for easy access.
• Thank & Release: Learn the art of letting go of data that has outlived its purpose.

With our gentle guidance, you'll transform your data retention strategy from a chore to a life-changing experience. So, grab a cup of tea, take a deep breath, and let's embark on this journey of data decluttering together.

(Deep Breath) Let's Go...

To manage data retention policies, organizations must first identify the types of data they handle, classify the data, establish retention periods, implement the policy, monitor and enforce the policy, and review and update the policy as needed. Companies must collaborate and reach consensus on retention periods to maintain regulatory compliance, balance business needs, and minimize risks.

Prioritizing Data for Retention Policies - In This Order

To effectively prioritize data for retention policies, companies should evaluate each type of data based on its significance, legal requirements, and potential risks. By considering the following factors, organizations can determine appropriate retention periods for different data categories:

1. Legal and regulatory requirements: Always prioritize data that is subject to specific laws and regulations, as failure to comply can result in fines or other penalties. For example, in the financial services industry, the Bank Secrecy Act (BSA) requires retaining records of certain transactions for five years, while the SEC requires broker-dealers to retain specific records for three to six years.
2. Data criticality: Assess the importance of each type of data to the organization's core business processes, decision-making, and risk management. Prioritize data that is essential for operations, compliance, and strategic planning. For example, transaction records, customer data, and financial statements are typically critical for financial service firms.
3. Data sensitivity: Prioritize data based on the potential harm that could result from a breach or unauthorized access. For instance, confidential data such as customer personal information or trade secrets should have more stringent retention policies to minimize risks associated with data exposure.
4. Historical value: Determine if the data has long-term significance for historical analysis or as an organizational asset. Records of financial transactions, investment decisions, or market research might be valuable for future analysis and trend identification.

Using these factors, financial services firms can segment their data into different retention periods, such as:

• Short-term retention (e.g., 1-2 years): Data with limited value and no legal retention requirements, such as routine correspondence, drafts, or temporary files.
• Medium-term retention (e.g., 3-7 years): Data subject to industry-specific retention requirements, like SEC-regulated records, or data with potential future value, such as customer complaints and resolutions.
• Long-term retention (e.g., 10 years or more): Data with significant legal or historical value, such as corporate records, tax records, or documents related to mergers and acquisitions.
• Permanent retention: Data that must be retained indefinitely, such as articles of incorporation, board meeting minutes, or patents.

Detailed Steps To Get Started:

1. Identify types of data: Begin by understanding the various types of data that the financial services firm deals with, such as customer information, transaction records, employee data, and financial statements.
2. Classify data: Categorize the data based on its sensitivity, value, and regulatory requirements. Typical classifications may include public, internal, confidential, and restricted data.
3. Establish retention periods: Companies must work together to agree on retention periods for each data classification. Factors to consider when determining retention periods include: a. Legal and regulatory requirements: Adhere to the various laws and regulations that govern the financial services industry, such as GDPR, HIPAA, or Sarbanes-Oxley, which may mandate specific retention periods for certain types of data. b. Business needs: Balance the operational requirements of the organization with data storage costs, retrieval times, and potential risks. Consider the usefulness of the data for decision-making and historical analysis. c. Risk management: Assess the risks associated with retaining data for too long or not long enough, including potential fines, litigation, reputation damage, or loss of intellectual property.
4. Implement the policy: Develop and communicate the data retention policy across the organization, ensuring employees are aware of their responsibilities. Implement procedures and systems to automate data retention processes and ensure data is securely stored, archived, and eventually destroyed.
5. Monitor and enforce the policy: Regularly monitor compliance with the data retention policy, and address any violations or deviations. Conduct audits to ensure proper adherence and to identify areas for improvement.
6. Review and update the policy: Periodically review the data retention policy and make updates as necessary to account for changes in the regulatory environment, business needs, or industry best practices.

By prioritizing data and assigning appropriate retention periods, financial services firms can better manage their data retention policies while balancing regulatory compliance, business needs, and risk mitigation.

Key Take-aways:

1. Start with the highest priority data where retention is non-negotiable such as a legal requirement to keep indefinitely.
2. Finding and categorizing all the data is the hardest part of this entire process.? It is usually a good idea to dual path the creation of the policies along with a technical approach to unify data controls across the firm.? Linear approaches of creating a data policy, then attempting to automate it often get bogged down because policy documents are hard to encode into standard technology capabilities.
3. The data itself is the unit to be managed.? You will need a data definition for your firm and you will want to create an automated policy associated with the data, not the organization or stewards. Data can be defined at the element level or, more conveniently to start your program, as any data with a schema, or inferable schema.
4. Consider creating one test of the entire process with one team. If automated data retention is new to your firm; select one group to test your process and the viability of your written standard.? Typically large firms have several data organizations, some more mature than others who will make good candidates as early design partners inside your organization.? You may want to add a few other criteria such as groups that have multi-region tenants, different types of data such as batch and streaming. You can set up a rolling implementation process as you gather learnings from this test team.
5. Align to the document retention terminology as much as possible and leverage that team’s roll-out and project management if possible.?
6. Senior leaders should keep this effort top of mind as highly strategic work. Since retention using automated classifications and policies is a first step in every firm's need to meet data obligations, leadership should treat it as strategic for the firm.