I did a Google search on "data retention" compliance today and I got 225,000 hits. I noticed that there was a peak of interest in tying data retention policy to compliance and regulatory requirements in mid 2004, 2005 by vendors like Sun and Microsoft. Since then the activity has petered out.
Back in 2004-5 industry consultants were recommending projects to analyze data retention in light of legal and regulatory compliance requirements at a level of individual data elements.
Since data classification projects are so complex and expensive, most organizations have apparently decided to pass on the challenge.
Data retention and regulation is a challenge because of contradictory regulatory requirements and the quantity of data elements in in hundreds of databases that a typical organization owns. On one hand, industry regulation such as PCI DSS 1.1 and the UK Data Protection Act mandates not storing payment cards, and limiting retention of customer data. On the other hand, anti-money laundering legislation mandates storing the money trail.
However - on a deeper level, it turns out that data retention is not the key issue for compliance.
If you're a merchant or processor of VISA / Mastercard credit cards simply don't store credit card and magnetic strip data - that's a pretty simply data retention policy.
If you're a banking institution and need to comply with Anti-terror and anti-money laundering you will have 4 strategic objectives:
a. Know your customer, including the source of their wealth;
b. Cooperate with law enforcement and supervisory agencies;
c. Communicate anti-money laundering policies and procedures with employee training
d. Perform continuous money laundering risk-assessment across the enterprise using Practical Threat Analysis
NONE of these strategic objectives, include data retention.
Since data retention is not a key issue - you'll be better off working on your strategic AML objectives.
