Global Trends In Context: International Long-Term Data Retention Regulations Discussed

Data retention compliance is challenging, regardless of the industry. Simplify and streamline your data management while improving regulation compliance

Data retention—sometimes also referred to as record retention—is the storing and maintaining of data and records for a certain time period to meet business, audit, and compliance requirements. From keeping accurate financial records and complying with regulations to disaster recovery and feeding analytic engines, businesses depend on sound data retention policies to function optimally.

Adhering to data retention policies demonstrates that your business handles data in accordance with industry standards and laws. Without data retention, your business risks storing too much (or too little) information for too long (or not long enough).

In this guide, we discuss the three main categories of data retention requirements: government regulations, international standards, and industry-specific regulations.

Why Is Data Retention Critical to Protecting Your Data?

Data retention is essential when protecting your company and your customer's interests. Enterprise data often include information that is highly valuable in the event of disputes; a comprehensive data retention structure can save your business noteworthy legal fees and time in the case of regulatory audit, tax concerns, staff issues, or consumer legal action.

Additionally, effective data retention strategies equip businesses to deliver improved customer service. Using archival data to generate reports enables trend identification and strategic development of business processes. Data retention is, therefore, not only about preserving records but also about establishing a resource for future planning.

With increased data privacy concerns globally, data regulations have become stricter and more complex. Although data laws vary internationally and across industries, baseline data retention guidelines require businesses to describe what data they collect, why they collect the data, identify where it is maintained, and state the retention term.

Government Regulations on Data Retention

Data retention laws vary vastly between nations—and even within them—to varying intensity. For example, due to the US’s federalized system, laws can vary from state to state. On the other hand, the European Union, as a supranational body, sets some of the most stringent data protocols in the world. The so-called “Brussels Effect”—in which EU regulations cause a ripple effect worldwide—can cause businesses based elsewhere to still play by EU rules. This highlights a key guideline regarding data retention: ensure you meet the standards of every country you operate in.

Let’s look at a handful of major players’ data retention regulations.

United States

Business operators should be cognizant of applicable federal and state laws such as the:

• Bank Secrecy Act (BSA)
• Federal Information Security Management Act (FISMA)
• Federal Trade Commission Act (FTC Act)
• Fair Labor Standards Act (FLSA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Internal Revenue Service (IRS)

The Electronic Communication Transactional Records Act also requires service providers to retain all records for 90 days and present them if requested by a government entity.

Switzerland

Swiss data retention requirements are defined by several codes and ordinances. These include a Data Protection Act, Criminal Code, Value-Added Tax Act, and the Ordinance on Commercial Bookkeeping and Retention.

The data retention laws require that businesses (including dissolved companies) retain data for 10 years. There is a 20-year retention requirement for records related to immovable assets with VAT implications.

Mobile phone numbers, locations, and device identification details are some data that mobile operators need to retain for six months. Similarly, service providers must retain email data, including connection types, logins, user identification, email title, and IP addresses.

European Union

The EU GDPR (General Data Protection Regulation) focuses on destroying personal data after a consent period ends rather than a dictating a standard retention period. Data regulations pertain to all transactions made in the EU.

Institutions or businesses may not keep personal data that identifies an individual for longer than necessary for the initial purpose of collection. There are exceptions in the case of data retained for scientific, historical, or public interest purposes; anonymized data may also be retained indefinitely.

Details of information collected, used, or stored must be explicitly provided to the data subject. According to the GDPR, all organizations must also develop a data retention policy detailing their personal data management process. Violation fines max out at €20 million or 4% of global revenue, plus possible customer compensation for damages.

Australia

Data retention policies in Australia are largely geared toward telecommunications for the purpose of national security and criminal investigations. Australian regulations require mobile service providers to retain metadata for two years, including account holder information, communication type, duration, location, and telecom services.

Developing technology and changing business models resulted in telecom companies no longer retaining data long enough. The lack of data and inconsistent retention seriously hampered criminal investigations. New laws were therefore set into place in 2017 with grants available to assist eligible telecom service providers to meet data retention regulations.

International Standards for Data Retention

The ISO/IEC is a joint technical committee standardizing information and communications technology norms internationally. The regulation criteria across the following information and communications technology categories are critical in determining your data retention policy and strategies.

ISO/IEC 27040

The information security aspects of data storage systems and infrastructures have been neglected due to limited familiarity with the storage technology and a limited understanding of the inherent risks and basic security concepts. This standard provides detailed technical guidance on storage and security techniques to mitigate data breaches, configuration changes, theft, and other data abuses and thereby improve data retention protection.

ISO 9001

The ISO 9001 quality standard focuses on the maintenance and retention of documents and records. According to the standard, a document describes what needs to be done. Since this can change, documents are maintained. Records state what has been done. Since this cannot change, they are retained.

The standard defines requirements for controlling this information, including the type of data, document revision approvals, information distribution, and obsolete document handling.

ISO 17068:2017

This standard pertains to the trusted third-party repository (TTPR) for digital records. The requirements specify conditions for authorized data custody services to reliably safeguard digital records as a source of evidence during the retention periods of legal obligation. Regulations apply in both the public and private sectors.

ISO/IEC 27001

ISO/IEC 27001 focuses on information security management to specifically address cybersecurity challenges. It provides a framework for implementing an information security management system to ensure the confidentiality and integrity of all corporate data during the data retention period. This includes financial and employee information, intellectual property, and data managed by third parties.

The standard includes guidelines for organizations to:

• Improve resilience against cyber threats
• Provide a centrally managed data storage framework
• Respond to security threats
• Protect the confidentiality, availability, and integrity of data

While not obligatory, ISO/IEC standards certification greatly benefits organizations in streamlining data retention and management, as well as providing reassurance to clients that they meet certain data handling criteria.

Industry Regulations Concerning Data Retention

Industries have different data needs and therefore vary in how they collect and manage sensitive information. While a broad range of data handling guidelines applies to most industries, there are also data regulations very specifically applicable to financial, health, and pharmaceutical institutions.

Payment Card Industry Data Security Standard (PCI-DSS)

PCI Security Standards are technical and operational requirements to secure debit and credit cardholder data against data theft and fraud. The standards apply to any person or business that stores, processes, or transmits cardholder data. The PCI-DSS includes regulations for applications and devices used in transaction processing.

Audit logs, log management, and log retention are all key aspects of the standard requirements. Audit logs need to be retained for at least 12 months. Further best practices in maintaining compliance and securing the safety of stored data include firewall installations, end-to-end encryption, and anti-virus software, as well as strict access monitoring.

California Consumer Privacy Act (CCPA)

The CCPA concerns companies that do business in California. More specifically, it applies to those with gross annual revenue of $25 million or more, who process the personal information of 100,000+ California residents, or those for whom at least 50% of revenue comes from selling residents’ personal information.

The CCPA gives consumers control over information that businesses collect, including opting out of personal information sharing and deleting collected data. It also gives consumers a lawful right to know what information a business collects and limits the use of said collected information.

Sarbanes–Oxley Act (SOX)

SOX pertains to the recording and reporting corporate financial activities to prevent accounting scandals and investor financial losses. The law applies to any public company in the US.

SOX requires auditing and review document retention for seven years after the review or audit conclusion. In some cases, the law requires permanent record retention.

An internal data security system and control of financial records are key to maintaining accurate financial reporting. The law requires that an independent auditor verifies information accuracy, including confirmation of a company’s sound internal financial structure.

Health Insurance Portability and Accountability Act (HIPAA)

This act does not pertain exclusively to medical records, also establishing data retention regulations for various other HIPAA-related documents related to covered entities and business associates. It’s important that, even if you do not deal in medical records specifically, you check whether any data you capture may fall under HIPAA jurisdiction.

HIPAA regulations require covered entities and business associates to maintain the specified documentation for a minimum of six years. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) may request documents at any time during a covered entity or business associate audit.

Record Maintenance in the Food and Beverage Industry (FDA)

Depending on where in the supply chain food and beverage businesses operate, they may legally need to record, maintain, and retain documentation proving appropriate industry practices. Documentation may relate to:

• Manufacturing
• Processing
• Handling and packing
• Distribution and holding
• Receipt and suppliers
• Buyers
• Internal activities

These records facilitate traceability should irregularities and food safety concerns surface.

Document Retention in the Pharmaceutical Industry

Pharmaceutical companies legally need to maintain and retain documentation pertaining to the manufacturing, processing, packing, internal activities, distribution, and buyers of every batch. This enables batch tracking in the case of any irregularities.

These batch production, control, and distribution records must be retained for at least one year after the batch expiration date. The data retention period for over-the-counter (OTC) drugs lacking expiration dates is three years after the batch distribution.

The suggested retention period for clinical trials and demonstration batches is the life cycle plus one year. The life cycle refers to the entire process from user requirements and design to realization, qualification, and maintenance. Training records must be retained for seven years.

Simplify Data Retention Compliance With SOLIX

Maintaining data retention compliance can be challenging, no matter what industry you are in. But having the right data management solution can significantly improve compliance and data accessibility.

SOLIXCloud is a multi-cloud platform that collects, manages, and governs enterprise data retention. The platform is secure, compliant, and cost-effective; with automated role-based controls, you can restrict data access to authorized parties—and make data available to relevant employees and legal professionals from anywhere at any time.

Get in touch today to find out how you can simplify and streamline your data management—while saving costs and improving data retention regulation compliance.