Understanding Data Retention Policies and Backup Strategies

Data is the lifeblood of every business, serving as the foundation for operations, compliance with regulations, and efficient resource management. Protecting this valuable asset is crucial for long-term success. Data retention policies play a vital role in defining how different types of data should be stored and for how long. In this article, we will explore the importance of backups in relation to data retention policies, the types of data that need to be retained, and examples of effective data retention strategies.

How Backups Work with a Data Retention Policy

A key aspect of data retention is maintaining backups that capture specific points in time. Traditionally, tape media was widely used for backup storage. Organizations would run periodic full backups to match the required retention periods and store these tapes as immutable weekly, monthly, and yearly backups until the retention period expired. However, with advancements in technology, disk-based backup storage has become more prevalent.

Modern backup software automates the process of retaining and archiving data. It follows the Grandfather-Father-Son (GFS) retention scheme, which strikes a balance between storage efficiency and meeting company or legal requirements. This scheme involves keeping weekly (son), monthly (father), and yearly (grandfather) backups for specified durations.

By using disk-based storage or sending backups to a cloud provider, organizations can conserve local storage space and ensure that a copy of the data is kept offsite, adhering to the 3-2-1 rule for backups. This approach provides worry-free, accessible data protection from any location.

Determining What Data to Keep and for How Long

The data retention requirements for your business depend on various factors, such as geographical location, industry regulations, and the nature of your operations. It’s essential to conduct a thorough analysis of your workloads, identify the value and types of data, and determine the appropriate retention policies for each.

For instance, in the medical profession, retention requirements differ by state and the type of healthcare facility. Adult and minor patient records may have different retention periods. Similarly, industries governed by regulations like FISMA, HIPAA, PCI, SOX, and GLBA have specific retention period requirements for different types of data.

To establish effective data retention policies, consider conducting a business impact analysis, consulting industry-specific regulations, and leveraging the expertise of solution architects or backup experts. This granular approach allows you to meet specific business needs without adopting a blanket retention policy.

Examples of Data Retention Policies

Once you have identified the types of data that require retention based on regulatory or business requirements, it’s time to configure your backup, deletion, or archival processes accordingly. Let’s consider an example of HR payroll systems and records with a seven-year retention policy.

Daily/Weekly Retention

• Perform daily backups and retain them for 31 days.
• Run full backups on Saturdays and use forward incremental backup jobs for the rest of the week.
• Apply GFS retention policies to the weekly backups, preventing deletion or modification.
• Automatically delete daily backups on the 32nd day, while retaining weekly backups until the 53rd rolling week.

Monthly Retention

• Assign a monthly GFS flag to the last weekly backup of each month.
• Create a new monthly backup for the 13th month, removing the earliest backup’s GFS flag and deleting it.

Yearly Retention

• Flag yearly full backups during the last full weekly backup of the year.
• Apply weekly, monthly, and yearly GFS flags to these backups, with the highest tier taking precedence.
• Maintain the yearly GFS flag in the file system, ensuring the retention of yearly backups.
• Remove the GFS flag after the eighth year, initiating the rolling flag removal process.

This example demonstrates a basic seven-year retention policy that automatically frees up storage space while preserving data for the required duration.

Best Practices for Backup Retention Policies

When establishing backup retention policies, consider the following best practices:

• Differentiate Data by Type: Tailor backup and retention settings based on the type of data, such as operating system files, databases, and user documents. Consider factors like recovery time objectives (RTOs) and recovery point objectives (RPOs) to determine the granularity of restore points.
• Differentiate Data by Lifecycle: Some data requires quick access, while others need to be stored for long-term compliance or archival purposes. Store frequently required backups locally for faster access and long-term archives in cloud storage using specialized tiers.
• Create Backup Plans: Define backup plans for different datasets based on the identified retention settings and policies. Specify the number of versions to store and the lifecycle policies for each dataset.
• Consider Industry Regulations: Familiarize yourself with industry-level regulations, such as FISMA, HIPAA, PCI, SOX, and GLBA, which dictate retention periods for different types of data. Ensure compliance with these regulations to avoid legal and financial consequences.
• Optimize Backup Chain: Balance the size of your backup chain by scheduling periodic full backups. Incremental backups within a reasonable size, typically 14 increments, help optimize storage utilization.
• Schedule Backups Strategically: Plan backup schedules to minimize impact on production systems. Schedule weekly backups during non-business hours or weekends to avoid bandwidth and I/O load issues. Use bandwidth throttling to optimize network usage for daily backups.

Remember, retention policies are not one-size-fits-all. Customize your policies based on your specific business needs, regulatory requirements, and available resources. Implementing best practices for retention and scheduling will help optimize storage utilization and minimize the impact on production systems. With careful planning and the right backup solution, businesses can confidently protect their data for the long term. Contact us to find out more about how Dataprise can help with your BCDR strategy.