9 Data Retention Recommendations

Professional organizer, Marie Kondo might say, "The best way to choose what to keep and what to throw away is to ask yourself, "'Does this spark joy?'" She goes on to recommend people keep items that do and dispose of those that don't. While this approach may be suitable for tidying up the storage room, managing organizational data retention requires a more comprehensive set of recommendations.

Organizations need a structured strategy. Data is a crucial business asset, tied to responsibilities around security, privacy, usefulness, and compliance. Each file, record, or dataset presents risks if it is mishandled, lost, or kept beyond its required retention period.

Purposeful Data Retention Requires Considering Multiple Factors:

• Security: Ensuring sensitive data is protected from cyber threats, accidental leaks, or unauthorized access
• Privacy: Meeting obligations under laws like GDPR, CCPA, and other data protection regulations
• Usefulness: Determining if the data is still needed to support operations, analytics, or reporting
• Compliance Requirements: Understanding how long specific types of records must be kept to satisfy legal, financial, or industry mandates

“Applying specific policies and governance around data helps ensure that the valuable data entrusted to organizations is protected for as long as necessary, yet it is not kept unnecessarily,” said Heath Kath, Lead Solutions Engineer, Fortra MFT. “Not only can this retention consideration exercise reduce your risk exposure, it can also help simplify sometimes ominous audit and compliance processes. Going through the process can also help support operational efficiency by having established guardrails in place around data retention,” added Kath.

Here are some broad recommendations for your overall data management process:

1. Build Data Retention into Your Security Strategy

Incorporate these data retention best practices as part of your overall data management process to ensure data is protected throughout its lifecycle. By defining what data to keep, archive, or purge, you not only improve your security posture but also help minimize risks tied to mishandling or cybercrime.

2. Use Managed File Transfer as Your Baseline for Data Protection

Managed File Transfer (MFT) platforms can provide built-in safeguards for data such as encryption, monitoring, and auditing of all file movements. MFT also centralizes file transfers across an organization and can apply data management policies to reduce the risks of files being shared outside of your control.

3. Keep Volume of Data Retained in Check

Data is often an organization’s most valuable asset. As such, it is also highly prized by cyber thieves. According to Statistica, an incredible 402.74 terabytes of data are created each day, and the amount of data generated annually has grown year-over-year since 2010.

Data is inevitable and pervasive but hanging onto too much of this tempting data in your own organization can increase your exposure. How do you start paring down? Ask yourself:

• Is this data still relevant?
• Does it contain sensitive information?
• How long should it really live in our systems?
   

4. Don’t Let Data Archives Become a Liability

Many organizations archive their data indefinitely. But “forever” isn’t a realistic or secure retention strategy. Remember: Once a file has served its purpose, retaining it only adds risk if your system is ever breached. There’s more of the “good stuff” to grab.

After all, all data is risky, and when you no longer need it, you should delete it. The less data at hand, the lower your security risk. To assist with the proper protocols, NIST offers recommendations in place for how to handle data deletion and destruction based on sensitive. It’s also wise to review details about the data lifecycle.

Part of this strategy should also include establishing a cadence for purging old files. You could set a rule of 30 days from “last access,” where all data accessed earlier will be archived and/or encrypted — even better, stored off site. And proactively create and follow data categories (sensitive, confidential, public, etc.) to help make firm decisions on what stays and what goes.

5. Classify Before You Retain

Before any retention policy can be meaningfully applied, organizations must understand exactly what types of data they have. Classification is the process of tagging or categorizing data based on attributes such as:

• Sensitivity (e.g., personal identifiable information, financial records)
• Compliance obligations (e.g., HIPAA, GDPR, PCI DSS)
• Business value (e.g., strategic plans, customer insights)

By classifying data, you can help ensure that retention policies are targeted and appropriate and avoid under-retention (which risks non-compliance) and over-retention (which increases storage costs and security risks).

6. Layer Security for Extra Defense

MFT already provides encryption and audit logging, but adding more layers makes retention safer:

• Web application firewalls (WAF) to block injection or DoS (Denial of Service) attacks
• Antivirus engines to filter inbound content
• Proactive security via Threat Brain, a built-in feature in GoAnywhere which continuously checks IP reputations to block those with bad reputations before they enter the environment.
• DLP (Data Loss Prevention) tools with Secure ICAP Gateways to protect data flowing outward
• Digital rights management (DRM) for granular control of hypersensitive files

7. Formalize a Data Retention Policy

A practical, enforceable policy helps ensure that there is consistency across the organization. Start by:

• Meeting with compliance and business stakeholders
• Outlining types of data that should be retained, retention periods, and disposal procedures
• Setting role-based access controls with least privilege principles
   

8. Use MFT Workflows to Automate Retention

MFT automation, such as in GoAnywhere MFT, can create schedules and file and folder monitors to respond to triggers to help with periodic checks around data retention schedules. With a classification tool applied, employees could, for example, see if data in a folder is older than a year and then notify the owner of the data about the retention policy before purging.

With GoAnywhere MFT, you can also pre-build complex, multi-step advanced workflows to:

• Retain files only as long as compliance requires
• Notify data owners when files exceed retention limits
• Trigger deletion or secure archiving automatically
• Automate deletion or archival schedules to remove human error from the equation

9. Archive Securely, Delete Thoroughly

Not all archives are created equally. Best practices include:

• One-way storage that prevents unauthorized reading
• Encryption (PGP/GPG) before archiving, with keys stored outside the MFT platform
• Key vaulting and advanced workflow integration for highest security

And when it’s time to delete, consider secure deletion methods such as an operating system-level manner of full deletion vs “regular” deletion, which with effort can be recovered.

For the highest level of data removal, physical destruction of the disks data is written on is also an option.

With these recommendations, Kondo’s wisdom still applies to data retention policies, but with a twist: don’t just ask if data sparks joy (data rarely does). Instead, ask if it still serves a purpose, or if keeping it puts your organization at risk.