Organizations must implement a data retention policy to protect sensitive information from potential threat risks and ensure sufficient oversight of data storage. Following data retention policy best practices will help you effectively manage data processing, transmission, and storage while remaining protected from cybersecurity risks. Read on to learn more.
Industry-Use Cases of Data Retention Policy Best Practices
Data retention policy best practices will strengthen your data security in the short and long term. However, they vary by industry and regulatory requirements and must be implemented accordingly. To effectively mitigate threats to the sensitive data you handle, it is critical to fully understand which data retention policy requirements apply to your organization.
Below, we’ll explore best practices that pertain to:
- Data retention policy implementation in healthcare
- Data retention management when processing card payments
- Data retention safeguards for protected categories of personal data
Adopting data retention policy best practices will help you avoid risks of unnecessary storage, especially when you optimize them in partnership with a trusted security program advisor.
Implementation of a Data Retention Policy Under HIPAA
Compliance with industry-specific regulatory frameworks will help you implement a data retention policy that best meets your security and business needs. For organizations in and adjacent to healthcare, compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) helps safeguard protected health information (PHI) at rest and in transit.
HIPAA comprises four primary Rules, namely:
- Privacy Rule – Under the Privacy Rule, PHI is categorized as a type of sensitive data. The Privacy Rule stipulates safeguards regarding the proper uses and disclosure of PHI wherever it is collected, processed, transmitted, or stored.
- Security Rule – When it comes to protecting electronic PHI (ePHI) from data security risks, the Security Rule outlines three types of safeguards:
- Administrative safeguards oversee the management of cybersecurity infrastructure.
- Technical safeguards guide the implementation of security controls across assets.
- Physical safeguards manage the protection of physical sites containing ePHI.
- Breach Notification Rule – Should a data breach compromise the PHI you handle, you must report the instance to all affected parties and the Secretary of Health and Human Services (HHS), based on the stipulations of the Breach Notification Rule.
- Enforcement Rule – Per the Enforcement Rule, any HIPAA non-compliance issues that affect the privacy of PHI, including potential criminal violations, are handled by the Office for Civil Rights (OCR) and, in some cases, the Department of Justice (DOJ).
When it comes to data retention, HIPAA Security Standard § 164.316 requires PHI to be stored for a minimum of six years from the date it was created or was last in effect, whichever is later.
However, the data retention requirements stipulated by state law may vary from those of Standard § 164.316. Therefore, HIPAA-covered entities and their business associates must determine which data policy retention best practices to follow based on their respective states’ specific data retention requirements. For example, as of 2022, Florida mandates PHI retention for seven years whereas Nevada requires PHI retention for a minimum of five years.
Documents containing PHI past its retention period must also be carefully and securely destroyed via shredding, burning, or other appropriate means such that the PHI cannot be reconstructed in the hands of a perpetrator. This rule applies across all locations.
Data Retention Management with the PCI DSS
When organizations process card payments involving cardholder data (CHD), they must comply with the Payment Card Industry (PCI) Data Security Standards (DSS) to keep the CHD safe.
Data retention policy best practices are especially critical for organizations that process large amounts of CHD. For example, retail, financial services, education, or healthcare organizations may be subject to PCI DSS compliance based on the card payment transactions they process.
Unlike HIPAA, the PCI DSS framework stipulates more stringent data retention requirements and can function as an industry standard for developing data retention policy best practices. Specifically, PCI DSS Requirement 3 mandates that organizations minimize the storage of sensitive CHD, ideally only storing it when there is a pressing business need involved.
If there is a need to store CHD, use the following data retention policy best practices:
- Data processing at all locations that store CHD must be governed by a PCI data retention policy.
- Any sensitive authentication data (SAD) used to authorize card payment transactions must also be subject to a PCI data retention policy.
- Retention of CHD must only occur in fulfillment of specific business, legal, or regulatory requirements.
- Following its retention, data must be securely deleted or destroyed beyond recovery.
- Processes must be in place to securely delete CHD stored past its defined retention period and ensure it cannot be recovered.
Most importantly, you must identify all possible locations of assets that contain sensitive CHD within your IT infrastructure. Once you locate these CHD environments, you must ensure they are within the scope of (and effectively governed by) your PCI data retention policy.
Data Retention Best Practices under the EU GDPR
The European Union (EU) General Data Protection Regulation (GDPR) safeguards data privacy rights of EU Member State citizens. Any organization that handles EU citizens’ personal data must comply with the GDPR provisions to ensure these data remain protected at all times.
If you are required to comply with the GDPR, Article 5 stipulates data retention policy best practices that can help safeguard the privacy of personal data you process. One way to limit the amount of data subject to your GDPR-compliant data retention policy is to avoid collecting data unless you absolutely need it—similar to a business need requiring CHD storage (see above).
Safeguards that you should incorporate into a GDPR corporate data retention policy include:
- Data should be stored in a form that limits the identification of data subjects once a defined retention period has passed.
- Data can be stored for longer periods if there is a justified need to use it for:
- Activities of public interest
- Scientific or historical research
- Statistical purposes
- Data should be secured at all stages of processing from threats such as:
- Unlawful or unauthorized processing
- Accidental loss through destruction or damage
Compliance with GDPR data retention requirements will help you protect the privacy rights of data subjects and avoid the costly fines and penalties of non-compliance. You will also mitigate data breaches that can result in significant financial, legal, and reputational consequences.
Optimizing Your Corporate Data Retention Policy
It is worth noting that many of the data retention controls listed in the above regulatory frameworks have been developed and standardized to address common data retention risks.
Some of these controls may apply to your organization, while others will not.
Additionally, each organization faces unique risks that may require ongoing optimization to reach desired effectiveness. The most effective way to develop a corporate data retention policy is in partnership with a security program advisor. The controls recommended by regulatory frameworks should serve as baseline data safeguards for data retention. By developing robust data retention best practices, you will be well-positioned to meet your specific security needs.
Streamline Data Retention Policy Implementation
As part of its security program, every organization that handles sensitive data must implement data retention policy best practices to keep data safe consistently. Our team of security program advisors will help you develop safeguards to protect any data you store from data breaches, ensuring you are supported regardless of your industry, location, or business needs.
Contact RSI Security today to learn more about optimizing your data retention policy!