Data Retention

Data Retention refers to the policies and practices that organizations follow to store, manage, and maintain data for a specific period of time. This is done to comply with legal, regulatory, operational, or historical requirements. After the retention period expires, data is either archived, deleted, or destroyed securely to ensure privacy and prevent misuse.

Data Lifecycle

Stage 1: Data Creation

Data is generated through various activities such as customer interactions, transactions, or system operations.

Key Actions:

• Identify the source of data.
• Ensure data accuracy and relevance.
• Classify data based on sensitivity (e.g., public, confidential).

Examples: Customer forms, sensor data, transaction logs.

Stage 2: Data Storage

Data is stored securely in databases, servers, or cloud systems.

Key Actions:

• Encrypt data to ensure security.
• Implement access controls to restrict unauthorized access.
• Use reliable storage systems to prevent data loss.

Examples: Cloud storage (AWS, Google Cloud), on-premise servers.

Stage 3: Data Usage

Data is actively used for business operations, analytics, or decision-making.

Key Actions:

• Analyze data for insights.
• Share data with authorized personnel or systems.
• Monitor data usage to prevent misuse.

Examples: Business reports, customer analytics, machine learning models.

Stage 4: Data Sharing

Data is shared with internal or external stakeholders as needed.

Key Actions:

• Ensure data is shared securely (e.g., encrypted emails, secure APIs).
• Obtain consent for sharing sensitive data.
• Comply with data protection laws (e.g., GDPR, Digital Security Act).

Examples: Sharing reports with partners, sending data to regulators.

Stage 5: Data Archiving

Data that is no longer actively used but must be retained is moved to long-term storage.

Key Actions:

• Transfer data to secure, low-cost storage solutions.
• Maintain metadata for easy retrieval.
• Ensure archived data remains accessible for audits or legal purposes.

Examples: Archived financial records, historical customer data.

Stage 6: Data Deletion/Destruction

At the end of the retention period, data is permanently deleted or destroyed to prevent misuse.

Key Actions:

• Use secure deletion methods (e.g., digital wiping, physical shredding).
• Document the deletion process for compliance.
• Ensure no backups or copies remain.

Examples: Deleting expired customer records, shredding old documents.

Stage 7: Compliance and Audit

Regular audits are conducted to ensure compliance with data retention policies and regulations.

Key Actions:

• Conduct internal and external audits.
• Maintain logs of data retention and deletion activities.
• Address any non-compliance issues promptly

Examples: GDPR compliance audits, internal data policy reviews.

Importance of data retention

• Legal Compliance: Avoid penalties for non-compliance with laws.
• Operational Efficiency: Manage data storage costs and resources effectively.
• Data Security: Protect sensitive information from breaches or misuse.
• Historical Records: Maintain records for future reference or audits.

Data retention Period

In Bangladesh, data retention periods are governed by various national laws and regulations, as well as international standards where applicable. Below is an overview of the data retention requirements under relevant laws, including banking law, business law, NBR (National Board of Revenue) law, Election Commission regulations, and other relevant frameworks:

National Laws and Regulations (Bangladesh)

1. Banking and Financial Sector

   - Bank Companies Act, 1991 (Amended in 2013):

•     Requires banks to retain customer and transaction records for 5 to 10 years.

   - Anti-Money Laundering (AML) Act, 2012:

• Mandates retention of financial transaction records and customer identification data for 5 years.

   - Foreign Exchange Regulation Act, 1947:

• Requires retention of foreign exchange transaction records for 6 years.

2. Business and Corporate Sector

   - Companies Act, 1994 (Section 192):

• Requires companies to retain financial records, books of accounts, and documents for 6 years.

   - Income Tax Ordinance, 1984 (Section 174):

• Mandates retention of tax-related documents and records for 6 years.

   - Value Added Tax (VAT) Act, 1991:

• Requires businesses to retain VAT-related records for 6 years.

3. Data Protection and Cybersecurity

   - Digital Security Act, 2018:

• Requires service providers to retain user data for 1 year and provide it to law enforcement agencies if requested.

   - Right to Information Act, 2009:

• Mandates that government and public authorities retain records for a reasonable period to ensure transparency and accountability.

4. Election and Governance

   - Representation of the People Order (RPO), 1972:

• Governs the maintenance of voter lists and election records, which are typically retained indefinitely.

   - Election Commission Secretariat Act, 2009:

• Provides the framework for the Election Commission's operations, including data management.

5. Telecommunications

   - Bangladesh Telecommunication Regulatory Commission (BTRC) Guidelines:

• Requires telecom operators to retain call detail records (CDRs) and customer data for 1 to 2 years.

International Laws and Regulations

1. General Data Protection Regulation (GDPR) (Applicable to Bangladeshi entities operating in the EU)

• Requires retention of personal data only for as long as necessary for the purpose it was collected.
• Mandates clear documentation of retention periods and justification for data storage.

2. Basel III Standards (For banks operating internationally)

• Recommends maintaining financial records for a minimum of 7 years for risk management and compliance purposes.

3. Payment Card Industry Data Security Standard (PCI DSS) (For organizations handling card payments)

• Requires retention of payment card transaction data for a minimum of 1 year.

4. International Financial Reporting Standards (IFRS) (For multinational companies)

• Recommends retaining financial records for 7 years to ensure compliance with auditing and reporting requirements.

Summary Table of Data Retention Periods

Notes

• Organizations must ensure compliance with both national and international laws if they operate globally or handle cross-border data.
• Retention periods may vary depending on the type of data and specific regulatory requirements.
• Regular updates to laws and regulations should be monitored to ensure ongoing compliance.