How to Manage Retention for Secure File Transfer


In 2020, everyone in the world collectively created 2.5 quintillion data bytes every day. If the number is difficult to conceptualize, 2.5 quintillion is how many pennies it would take to cover the Earth five times.

Organizations have the daunting task of sorting, categorizing and purging data. If they do not make the right decisions, they can be fined for breaking government or industry regulations.

Keeping data indefinitely is not the answer for three reasons:

  1. Cost of Storage

    Whether organizations use cloud or on-premises storage, keeping data is not free. Employees need to justify the extra expense of keeping data – whether it is square footage in a server room, gigabytes in cloud storage, etc.

  2. Clutter
  3. The more data you have, the more difficult it is for employees to keep it organized and easily accessible. If documents need to be found for legal proceedings, there is more irrelevant data to sort through.

  4. Legal Compliance
  5. GDPR requires deletion of data when it is “no longer necessary in relation to the purpose for which it was originally collected/processed,” in addition to a few other circumstances.

How Long Should Data Be Retained?

As new regulations about data retention are made, organizations have more questions about it than ever. Here are some factors to consider when deciding how long to keep data.

secure data retention for government regulations Government Regulations

To comply with government regulations, consider where your employees, users and potential users reside.

It is in a company’s best interests to

  • Follow the strictest data privacy regulations for all users, regardless of which country they live in
  • Implement changes before they are legally required to keep ahead of the curve
  • Anticipate future legislation and make plans to achieve the new standards

secure data retention for industry regulations Industry Regulations

Industry regulations are sometimes closely tied to or overridden by government regulations. For example, HIPAA (Health Insurance Portability and Accountability Act) does not define required retention periods because each state defines them individually.

In contrast, PCI DSS (Payment Card Industry Data Security Standard) is not state-dependent; it requires that audit history be kept for one year and immediately available for three months.

secure data retention for types of data Types of Data

Depending on their industry and customers, companies will have different data to organize. There are five types of business data:

  1. Business process data – Data that improves a company’s operations. For example, data about how long it takes for customers to pay invoices helps a company understand how long its business cycle is.
  2. Physical world observations – Data about the physical world. Delta Airlines uses radio frequency identification (RFID) chips in checked luggage to send customers real-time information about its location.
  3. Biological data – Data typically collected from biometric authentication. Any time a user unlocks a device by a facial scan, fingerprint, or voice, that application has biological data about them.
  4. Public data – Data on the Internet or otherwise publicly available.
  5. Personal data – Data about people (their age, gender, interests, etc.) that companies can use for ad targeting or to better understand their audience.

value of data for secure data retention Value of Data

In addition to considering data types, companies should ask these questions to determine its value:

  • Who uses this data?
  • What is this data used for?
  • How far back does someone go when referencing this data?

secure data retention for business cycles Business Cycles

Business-to-business companies may need to keep data longer than business-to-consumer companies because their customers are from larger accounts and have long-term agreements with them.

secure data retention for disaster recovery Disaster Recovery

After answering questions about the useful life and types of data, companies should consult their cybersecurity team to create backup and disaster recovery policies.

The Changing Legal Landscape

Once companies adhere to a data retention policy, they should continue to keep themselves informed about data privacy legislation. To comply with all regulations, companies should seek advice from their in-house legal team or an external advisor.

By including retention policies and encrypted cloud storage, Thru, our managed file transfer (MFT) solution, helps companies stay compliant. Retention options include keeping files in place, purging files immediately or sending files to an archival endpoint. You can also have different retention policies on different levels within our platform.

Learn more about our file transfer security and compliance measures.



Have questions about managed file transfer?

Get answers, not a sales pitch. Our experts have analyzed, discussed and solved difficult file transfer challenges since 2002. We are here to help you.

Scroll to Top