Data Retention With FileCloud

 

FileCloud retention policies deliver control and compliance for the files and their folder groupings in the Cloud. Retention policies allow administrators to automate some processing related to protecting data and help secure digital content for compliance and enhancing the management of digital content for other internal reasons.

FileCloud retention policies are created and attached to stored files and folders. These special policies allow administrators to define the conditions that enforce a set of restrictions on how each file or folder can be manipulated.

What is Data Retention?

Data Retention is a form of records management, with individuals maintaining specific files for established periods of time. It’s intended to provide protection for both the public and the private sector. By keeping information on hand, quick responses to legal or security questions are possible.

Why is it important for organizations?

Organizations are taking a broader view of data retention programs because they realize the programs can have a major impact on data security and on meeting customer (and government) expectations about privacy. Privacy has become a “hot” issue on two fronts. Governments, particularly in the European Union, have been raising the bar both for protecting customer data and for requiring that it be erased on demand. Customers have also become more sensitive about these issues. They are increasingly likely to look at privacy policies and security as reasons to do business with your organization – or with your competitors.

Today, organizations need well-designed programs and policies not only to deal with regulations mandating that specific document types be held for set periods but also to address critical privacy issues and to reduce the cost of potential data breaches.

  • Data protection is an integral part of data retention and security measures must be applied across the entire information management life cycle.
  • There are legal, security, and other risks associated with retaining files that aren’t needed.
  • Privacy concerns, especially like the GDPR, are imposing significant changes because now customers can trigger data deletion processes.
  • Many companies ignore the factors that should trigger data deletion and rely on ineffective deletion technologies
  • Every company needs a data retention team, ideally, lead by a full-time or part-time DPO (Data Protection Officer)
  • A data retention policy needs to define how data is going to be classified, how data will be retained and protected, when and how data will be deleted and the roles and responsibilities of the team members.
  • Automated tools and processes are essential for providing consistent, reliable enforcement of data retention and data erasure policies.
  • Organizations can accelerate the upgrading of their data retention programs by using third party advisors and technology partners

Retention in Various Industries

Each industry is unique and therefore each industry’s retention requirements are just as unique. Be it Finance, Health, Insurance, Human Resources every industry is forced to retain certain records for a particular time period.

For Example – The insurance field expands the HIPAA guidelines, with companies forced to keep detailed records of every procedure. Policies established by the Federal Register include the following:

  • Appraisals, safety records, and inspection reports: 6 years
  • Expired policies: 10 years after the termination date
  • Insurance claims: 10 years after the termination date
  • Transferred records: 6 years
  • Receivership records: 6 years
  • Inherited records: 6 years

How to build a Data Retention Program and Enforce Policy?

Every organization needs a data retention team or task force with the regulatory, business, and technical knowledge to weigh the factors appropriately, to build them into concrete policies, and to monitor and enforce those policies.

Some organizations have recognized this by designating a Data Protection Officer (DPO). The responsibilities of the DPO can include:

  • Managing the data retention team
  • Ensuring that the organization stays abreast of legal and regulatory developments, privacy requirements, and relevant business issues
  • Keeping policy development on track and arbitrating disagreements between different viewpoints
  • Monitoring and reporting on policy enforcement
  • Serving as a point of contact on data retention issues for employees, business partners, and government and regulatory agencies

 

Obviously, data retention policies will vary across different industries and sizes of businesses, but there are certain elements that should always be included.

Define the scope of the policy

The policy should always include a statement about its purpose and scope. It should describe the business reasons for the policy and list the major legal, regulatory, and business requirements, including laws and standards that must be met. It should also specify the people affected by the policy (who may include third parties as well as employees) and the IT systems and equipment covered.

Classify the data

Good intentions degenerate into hard work at the point when you have to classify documents and files into categories for retention and erasure. The next steps are to determine which documents and files fall into the “should be saved,” “should be erased,”  and to decide on retention and erasure rules for them. The team must weigh the possible future business value of the information against the risk of fines and costs that would result from a data breach

Specify how data will be retained and protected

Outline the policies and procedures for retaining and protecting data. This includes:

  • Retention periods for each data category
  • Policies for protecting files during each phase of their life cycle.
  • Steps for handling files at the end of the required retention period; should they be erased automatically, reclassified into another category

Monitor and report

It is important to monitor and report on data retention and erasure activities, both to satisfy auditors and regulators and to collect data to improve these activities. The information collected and reported should include details including:

  • The classification category of each file, the reason for selecting its category, and the retention period
  • Where retained files were stored initially, and were
  • moved over time
  • When files were erased, the method used, and the reason for erasure
  • Who performed or authorized each action
  • Exceptions and failures to apply policies

Data Retention using FileCloud

you can create Retention policies to automate some of the processing related to protecting files and their folder groupings. This policy-based automation is designed to help secure digital content for compliance, but it can also enhance the management of digital content for other business reasons.

  • Retention policies are created and attached to files and folders.
  • These special policies allow you to define the conditions that enforce a set of restrictions on how each file or folder can be manipulated.
  • For example, you can create a Retention Policy that disables a user’s ability to delete any of the files and folders named in the policy.

For example, administrators can create a Retention Policy that disables a user’s ability to delete or edit any of the files and folders named in the policy. To resolve the issue of conflicting policies, FileCloud ranks retention policies by what best protects and retains the digital content.

How Retention Policies Work 

A retention policy is a name that can apply to any of these types of policies:

  • Admin Hold
  • Legal Hold
  • Archival
  • Retention
  • Trash Retention

Retention policy types allow you to:

  1. Block specific actions on files and folders
  2. Specify what happens when the policy expires

Create a Type of Retention Policy

There are five different types of retention policies that can be configured and assigned.

1. Admin Hold – 
  • Prevents any update or delete of digital content for an indefinite period of time
  • Admin Hold policies applied to folders can be removed
  • Admin policies applied to files can be removed

An Admin hold only blocks user access, it does not block other policies from expiring. However, if an Admin Hold is in place, any other policies will expire gracefully without completing any move or delete expiry options.

  • For Admin Holds, a policy expiration date cannot be set
  • The policy can only be removed by an administrator
  • Since the policy does not expire on a specific date, there are no automatic actions on the expiration

To create an Admin Hold Policy:

  1.  Log in to the Admin Portal.
  2. From the left navigation pane, select Retention.
  3. On the Manage Retention Policies screen, click the Add Policy button.

 

4. Completely fill out the Policy Attributes section.

5. The Path and the Metadata tabs allow you to define the conditions that specify how the policy will be applied in the system.

 

6. An administrative hold is designed to help an administrator block access to files and folders so that they can determine what should happen next.

  • For Admin Holds, a policy expiration date cannot be set
  • The policy can only be removed by an administrator
  • Since the policy does not expire on a specific date, there are no automatic actions on the expiration

 

2.  legal hold

A Legal Hold is designed to retain data, therefore, there is no deletion or move option available when this policy is in effect. Legal Holds cannot be removed once applied unless an expiration fixed date is set.

  1.  Log in to the Admin Portal.
  2. From the left navigation pane, select Retention.
  3. On the Manage Retention Policies screen, click the Add Policy button.

4.  Completely fill out the Policy Attributes section.

5. The Path and the Metadata tabs allow you to define the conditions that specify how the policy will be applied in the system.

6.  Legal holds can expire in either a Fixed Date or be set to Indefinite.

 

3. Retention

A Retention policy allows an organization to identify specific content that is required to be stored for a specific period of time before it can be accessed. During the retention period, the content cannot be deleted.

Retention policies cannot be removed once applied unless an expiration fixed date is set.

4. Create an Archival Policy

An Archival policy type is designed to help you create more cost-effective systems for the long term.

Therefore, you can create a policy to move and store old organizational content in the following ways:

  • If you choose No Action, you will see an error that it is not supported and you will not be able to create the policy
  • After the specified time period is reached, content gets moved to a specific folder or location (Archive)
6. Create a Trash Retention Policy

A Trash Retention policy is designed to help you control if files in the Trash Bin can be permanently deleted off the FileCloud Server system.

If files in the Trash Bin are permanently deleted off the FileCloud Server system, they cannot be recovered

 

FileCloud retention policies allow administrators to automate some of the processing related to protecting files and their folder groupings. This policy-based automation is designed to help secure digital content for compliance, but it can also enhance the management of digital content for other internal reasons. These retention policies are helpful against legal actions, trademark issues, patent infringement, employee lawsuits, and consumer complaints. There are many such legal risks businesses face.

Without the right systems within your cloud solution to discover and essentially preserve the sensitive content, the time and costs spent on litigation and handle legal cases can quickly spiral out of control. FileCloud retention policies are created and attached to stored files and folders. These special policies allow administrators to define the conditions that enforce a set of restrictions on how each file or folder can be manipulated.