Data has become a valuable resource for organizations across the world, and large amounts of data are being collected every day. At the same time, there has been an increase in or emphasis on the laws and regulations aimed at providing safeguards for data collected. A tool that can be used to help manage data in accordance with these laws and regulations is a data retention policy. In addition, SOC 2 reports have become a standard way to demonstrate to customers that controls are in place to protect information and data. This blog post will provide an overview of the data retention policy and how it can be used to support criteria within a SOC 2 report.
What is a Data Retention Policy?
A data retention policy is the set of guidelines or protocols that a business follows in relation to data management. Specifically, it defines what types of data should be retained, how long the data should be retained and in what format, and the requirements and procedures to delete data when it is no longer needed.
Why Should I Have a Data Retention Policy?
The primary purpose of a data retention policy is to help an organization meet data retention requirements in accordance with laws, regulations, and contractual obligations. Often, these requirements can vary based on the business activities of the organization and the types of data collected. As such, a data retention policy helps organize these requirements and communicates a standard set of protocols to be used throughout the whole organization. In addition, a data retention policy can help organizations better manage their data thus providing more accessible data and reducing storage costs.
How Long Should Data Be Retained?
It depends. As noted previously, laws, regulations, and contractual obligations will drive the data retention period, and these can often be different. For simplicity, a data retention policy may take the highest retention period required and apply it across the board to all its data, but this could lead to increased storage costs and unnecessary procedures that are not technically required for certain types of data.
How Do You Create a Data Retention Policy?
There is no template for a data retention policy that will apply to all organizations since the data retention requirements will vary based on the types of data collected and the industry and business in which organizations operate. However, there are some key steps that should be taken as part of the creation or assessment of a data retention policy:
- Identify and Classify Data – Organizations first need to know what types of data they are collecting and for what purpose. All types of data and the various methods of collection (email, texts, customer input through online sites, etc.) should be considered. The data should then be classified into different categories since certain types of data are more sensitive or confidential than others and will require more stringent requirements. Categories might include public, private, protected health information (PHI), confidential, restricted, etc.
- Learn about the differences between PII, PHI, and PCI here.
- Identify Requirements – To comply with retention requirements, it is important to identify and understand all the different laws, regulations, service commitments, and contractual obligations that are relevant to the organization. A sample of laws and regulations that might be applicable include the following:
- Health Insurance Portability and Accountability Act (HIPAA)
- Learn more about HIPAA record retention requirements.
- General Data Protection Regulation (GDPR)
- Check out our GDPR Compliance Checklist.
- Fair Labor Standards Act (FLSA)
- Gramm-Leach-Blilely Act (GLBA)
- Sarbanes-Oxley (SOX)
- Payment Card Industry Data Security Standard (PCI DSS)
- Read more about PCI compliance here.
- Health Insurance Portability and Accountability Act (HIPAA)
- Define the Retention Period – Once data and requirements have been identified, organizations need to set the retention period for the data identified. For an organization that does not collect a lot of data, or that has fewer requirements to meet, one standard retention period for the applicable data categories may be sufficient. In other cases, it may be best to have multiple retention periods that differ by data classification. Organizations may also decide to further subdivide data categories so that different retention periods can be used for specific data. The details of the retention period(s) and data classification should be documented in the data retention policy.
- Data Deletion – A key component of a data retention policy includes the procedures and requirements to delete data that is no longer needed or required to be retained. While it may seem like a good idea to hold on to as much data as possible for as long as possible, such a strategy comes with increased risk and potentially negative consequences. For example, more data can create more exposure in the event of a security breach (such as these HIPAA security breaches). Further, the data will need to be stored somewhere, likely increasing storage costs and using resources that may be needed elsewhere.
What are the Data Retention Requirements for a SOC 2?
While there are no specific data retention periods required for a SOC 2, there are some criteria that require the consideration of data retention for specific types of data. Specifically, the criteria related to confidentiality and criteria within the privacy category require data retention. The AICPA 2017 Trust Service Criteria and related points of focus for the trust services category of confidentiality and P4.2 of privacy are as follows:
- “C1.1 – The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality
- Identifies Confidential information — Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.
- Protects Confidential Information from Destruction — Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information.
- C1.2 – The entity disposes of confidential information to meet the entity’s objectives related to confidentiality
- Identifies Confidential Information for Destruction — Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached.
- Destroys Confidential Information — Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction.
- P4.2 – The entity retains personal information consistent with the entity’s objectives related to privacy.
- Retains Personal Information — Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise.
- Protects Personal Information — Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information.”
Based on the points of focus noted above, a data retention policy could be used to directly support the criteria related to confidentiality and criteria P4.2 of privacy. An organization including these criteria in its SOC 2 report will need to demonstrate that they have processes and procedures in place to classify, retain, and delete confidential and/or personal information.
A data retention policy is a tool that can be used to help manage data in accordance with laws, regulations, service commitments, and contractual obligations. There are certain criteria that do require organizations to evidence that procedures are in place to identify, classify, retain, and delete confidential and personal information. As such, while a documented data retention policy is not specifically required for a SOC 2, it can be used to support the controls and processes for certain criteria.
Linford & Company is an independent CPA firm that specializes in a variety of audit services, including SOC 1 and SOC 2 assessments. If you have questions about data retention policies or how to evidence your controls related to data retention or data deletion, please contact us.
Kevin has over ten years of experience in internal controls, audit, and advisory work. Kevin started his career in public accounting at Deloitte focusing on internal controls, SOC audits, and IT assurance work. After Deloitte, Kevin filled a leadership role in the SOX Compliance group at a financial services company. Kevin is a CPA and holds a Bachelor of Science degree in Accounting from Brigham Young University and a Master of Business Administration degree from Ohio University.