What is a Backup Retention Policy?
A Backup Retention Policy governs the time that you keep backed up data, with it you would also consider the archive rules, format, method of storage, access policy and encryption. All of which must be documented for legal and privacy reasons under the DPA (including the new GDPR).
The most common retention policy used by most IT professionals is the Grandfather–Father–Son method for maintaining a period of tiered restore points. This method is a rotation scheme whereby a daily backup (the son), a weekly backup (the father) and a monthly backup (the grandfather) are created to maintain a good backup strategy.
Simply put, each week the backup from the last 7-days (daily backup) is aggregated into 1 backup called the son and is held as the weekly backup. Each 4-weekly is then aggregated from a son to a father and is held as the monthly backup and finally the last 6 months is then aggregated from a father into a grandfather and becomes the last 6-months backup. This process can vary depending on your retention policy, your legal requirements for completing data backups and how often you implement a backup (i.e. hourly vs. daily or monthly vs. 6-monthly).
For legal purposes in building your retention policy you need to consider what the impact would be if you needed to recover lost data and over what period. If for example your backup policy was:
This would mean that for an initial loss of data that was immediately recognised by a user you would resort back to the previous day, if however, the mistake wasn’t immediately acknowledged, and it was a couple of weeks later you would resort to looking through weekly logs for the missing file and if the issue didn’t manifest a good few months later you would have to restore to searching in the last 6-months log for the file. However, you now need to consider if this is both acceptable for your business and for the data subject. It could be that the impact on business might have a financial cost or it could be that a data subject has put in a SAR (Subject Access Request) which must be complied with within 30-days (under GDPR) and you don’t have the information at hand. Therefore, a policy needs to be clearly drafted considering all scenarios considering the worst-case scenario’s