What is a data retention policy?

What is data retention?

Data retention is a process of storing and managing data for a certain period of time. Let’s say you bought a pair of sneakers online. The seller has your name, email, home address, telephone number, purchase history, and login credentials. They can retain that information for a long time after your purchase. And while this data might seem trivial, if it leaked online it could be enough for hackers to launch a social engineering or phishing attack against you.

In 2020, a startling 37 billion records were exposed online, compared to 15 billion in 2019. A big chunk of breached records ended up for sale on the dark web. Stolen databases are very popular among criminals and you can expect to pay anything from a couple of bucks to thousands of dollars for a single database.

A data breach is a nightmare for any company, as it can cause revenue losses, a damaged reputation, and hefty fines.

Data retention policies define how customer data should be managed and which records should be kept. And yet many companies fail to protect users’ data or store it properly.

How long data should be stored?

According to GDPR (General Data Protection Regulation), a regulation in the EU on data protection, data should be kept “no longer than necessary”. Since it doesn’t specify a retention period, companies can interpret GDPR however they like.

Many data breaches contain old records that should’ve been deleted years ago. Since people don’t change their telephone number and address frequently, 10-year old data can still be useful to hackers.

Under HIPAA (Health Insurance Portability and Accountability Act), healthcare-related documents in the US can be kept for six years after their creation. If a document was created in 2021, it could be stored until 2027.

Tips on creating a good data retention policy

1. Prioritize the data. Divide the data into separate categories and decide which data type is important and which should be deleted immediately.
2. Get familiar with data retention laws. Before creating your own policy, get familiar with local laws, and learn which regulations apply to your company.
3. Review the policy. It’s a good idea to review your data retention policies occasionally and adapt them to the new situation. If some data categories are no longer relevant, get rid of them, and update your policy.
4. Implement security measures. Many organizations still fail to store sensitive data securely. That’s why it’s important to have a specific team member who’s responsible for cybersecurity strategy and can take ownership in this area.
5. Inform the employees. Every employee should know how to store the data properly and should understand the consequences of failing to comply with regulations.

How data retention puts your privacy at risk

When a company stores your data, you have to depend on their ability to keep it safe. Even tech giants like Facebook fail to protect their users’ data and frequently suffer breaches. What threats does your data face?

• Untrustworthy employees. Not all employees are conscientious and some of them might try to snoop on your private data and use this knowledge to commit fraud. You can never know who has access to your data and what their intentions are.
• Intelligence agencies. While the FBI, NSA, and other well-known government agencies work on protecting the society from criminals, their intentions have been questioned many times. Spying on people has become a new norm and the revelations of Edward Snowden proved how sophisticated those processes are. Can you trust tech companies not to share your data with the authorities?
• Unsecured databases. Sometimes hackers don’t need to try very hard to steal the personal details of millions of users. Many companies store passwords in plain text and forget to adequately secure their databases.
• Data brokers. Data brokerage companies collect and buy your data. They are data hoarders who compile huge databases and sell them to third-parties. Use a service like Incogni to remove your personal from data brokers. Your ISP (Internet Service Provider) probably has the most extensive information on your digital habits, as it probably logs your browsing activities, location history, and search queries.

How to enhance your privacy

It’s impossible to avoid sharing your information with companies if you want to use their services, but you can still act smart. Never share more information than you need to, dedicate a separate email to creating accounts, and don’t duplicate the same password.

It’s hard to find a person whose details have never been exposed in a data breach. Want to know if you’ve been pwned? You can check the Have I been pwned website and see for yourself.

One of the best tools to enhance your privacy is a VPN. It encrypts your internet traffic and hides your IP address, so nobody can snoop on your browsing data. NordVPN has more than 5200 servers in 59 countries, designed to address your security needs.

The NordVPN app is easy to navigate, so you can connect to the fastest server available with one click. With a single account, you can protect up to six different devices: laptops, smartphones, tablets, routers, and more.