Good afternoon / morning everyone!
I've also got a couple of discussions going on the LinkedIn forums but thought it would be a good idea to post here too.
I'm doing some research at the moment regarding data retention, specifically guidelines for UK companies and data backup, but a global perspective would be equally interesting. There's a wealth of regulations out there but everything is so vague and in many cases contradictory - e.g. Data Protection - keep certain personal data for minimum time possible vs perhaps certain FSA misconceptions that everything must be kept for 6 or 7 years.
The basics of data retention are fairly straight forward (e.g. keep x records for y years) but what seems to be confusing most companies we speak to is how many generations of data need to be kept? Are there any sensible guidelines that are based on more than guesswork?
I'm not a lawyer but I'm assuming the answer is "the more you keep the more you're protected in the event of litigation, providing you're not breaking any data protection / privacy laws in the process, so keep as much as you can afford to keep"? And by afford I don't just mean data storage costs but management of that data too - and that means everything from finding the right data when you need it through to ensuring the data can't have been tampered with - and proving it can't have been tampered with.
I'm really hoping I'm being incredibly naive and we're just missing something, but we can't be the first company to do some proper research in to this?? Every, and I mean every, company we speak to has a different interpretation of what they need to do when it comes to data backups or data retention in general, and we've seen some horrific examples of sheer stupidity from companies with no backups at all through to some who leave the same backup tape in their server forever and assume that's fine.
At the other end of the scale many organisations are getting immensely paranoid, and probably rightly so, about e-mail backup retention and their ability to roll back to a point in time 4 years ago to restore a critical individual e-mail, assuming it wasn't deleted before the nightly backup had run of course. Without careful observation of T's & C's this is even harder to control with cloud-based e-mail systems and people rarely ask the pertinent questions.