sms data retention

SMS Data Retention

Most companies have data retention policies these days, even small and medium-sized ones. This allows them to uphold the rights of people whose data they store, in compliance with international regulations like GDPR. 

As well as the data that they might hold themselves, companies must also consider how any 3rd party services that they use to transmit and store their customers’ data support these policies. That includes business SMS platforms.

This article examines what you should consider for the retention of your business SMS data, and goes on to describe how we support our customers to implement their policies.

Why do I need an SMS retention policy?

SMS providers automatically retain message information for reporting, billing and reference purposes. Messages are often stored for several years. This storage is generally free, and a lot of companies won’t need to consider how long simple messages that don’t contain any personal information are kept for.

However, it becomes particularly important for companies in sectors like financial or healthcare services, whose text messages often contain personal or sensitive information. They must make sure that their SMS data is held in compliance with the laws and regulations affecting their industry or region. They will also need to take into account the agreements they have in place with their customers, who will have opted in to receive texts under certain conditions and have expectations about what happens to their data.

Business SMS Platform

The Responsibilities of Business SMS Platforms

SMS messages are stored in Delivery Reports, which contain not only the destination and content of the message, but can also contain personal or business information that helps with the categorisation and routing of replies, as well as metadata about the timeline of the message and its status. This data is often aggregated, to provide usage insights and information for billing.

Business SMS Platforms also hold account data, indicating who has access to the Delivery Report data, as well as the individuals responsible for administering the account. 

It is the responsibility of business SMS platforms to provide the following sets of controls which allow you to manage your SMS data:

  1. Account and user management – the ability for you to directly control who has access to the SMS platform, and to control what they can see or do.
  2. Subject access right (SAR) requests – allowing for your account and any of your employee data held within it to be deleted. 
  3. Message data retention – the ability for your data retention policies to be applied to your customer data, in a granular fashion if necessary.

This may also extend to the platform provider complying with data deletion standards, so that you are reassured about how data is deleted from physical media, even when data is stored in the cloud. For example, Amazon Web Services decommissions media using techniques detailed in the industry standard NIST 800-88.

What are the Downsides of Deleting Data?

Once data is deleted, it cannot be retrieved. No surprises there. This will somewhat restrict your ability to review campaigns, check your data quality, and check for trends in your message usage. Unless you are storing delivery reports on your own platform, it will also limit your ability to audit usage or particular customer conversations. It’s worth reviewing all of the use cases when you implement policies, to make sure your other obligations can still be met where necessary.

SMS Works Account

 

SMS Works Account Access

First things first: we allow account administrators to nominate up to four other administrators of their accounts, and to delegate five Guest Passes to other individuals who can access the data but not update settings or the access of others. 

How the SMS Works Supports Your Data Retention Policies

We’ve implemented a data retention solution which allows our customers to exert (what we hope is) a flexible set of controls to manage their customers’ data on our platform. We work with you directly to set this up, so that they can understand how it can most conveniently fit in with their needs and the options in our API. This also allows us to agree and confirm what will happen in writing, so that everyone is happy with the approach.

By default, SMS delivery reports are archived after 90 days, and retained in the archive for 7 years. If you would like us to delete that data before it gets archived, we have two great options:

Retention Jobs

We can target specific data on our platform for you using one or more ‘Retention Jobs’. These allow you to specify the age of the delivery reports you want deleted and to provide one or more other filters to select particular reports. This could be something as simple as the sender ID (who the messages are sent from), something more specific like a tag that has been used to identify a campaign or customer, or even as sophisticated as some metadata that you included via our API when the message was sent. These could even be used together, to work against a very specific set of criteria for your customers.

Time-To-Live (TTL)

Our SMS API allows you to set a simple expiry time, in minutes, on your delivery reports. They will then be deleted once the expiry time has passed. This is useful if you only have a few sensitive messages, and gives you independent control over when they are removed without having to consult us.

The Deletion Process

The Retention Jobs run every night. If they delete delivery reports which match your criteria we will notify you via email, to an address or addresses of your choice, to let you know how many have been removed. We intend to expand this to providing deletion logs on your SMS Works account page in the near future, to give you an auditable view of activity.

As we maintain Cloud Backups of our data, there will be an additional period of 5 days during which the data is still retrievable. You may wish to take this into account when planning your Retention Jobs with us. 

Where we are required to maintain data through legal holds, delivery reports may be retained beyond the published or configured retention periods. That’s it! You can contact us at [email protected] if you would like us to help, or discuss anything else related to your SMS plans.