What is a Data Retention Policy?

Published July 17, 2020 • 3 min read

A data retention policy, or records retention policy, is a company’s established protocol for keeping records for set periods of time to comply with business needs, industry guidelines, and legal requirements. 

A comprehensive data retention policy details the reasons a company wants to retain specific data and what to do with that data when it wants to dispose of it. The data retention policy should also include information about who’s responsible for each type of data, and weather data that are no longer needed should be archived or deleted.

From an operational standpoint, an organization should implement a data retention policy to ensure proper data backup. Backup data help a company recover in case of data loss. 

Why is data retention important?

A data retention policy is important to make certain a business has the right data and the right amount of data backed up. If an organization doesn’t back up enough data, the recovery won’t be as comprehensive, while backing up too much data may cause confusion during the recovery process.

A data retention policy is part of an enterprise’s overall data management strategy. A data retention policy is important because data can accumulate significantly and it’s critical for an organization to outline how long it needs to hold on to specific data. A company should only retain data for as long as it’s needed. A company archiving data longer than necessary will consume unnecessary storage space and increase costs.

A company must also establish efficient data management and records management to support its core business functions, to comply with legal, statutory, and regulatory obligations and ensure data privacy. 

Over recent years, there has been a renewed focus on data privacy, which has resulted in more complex data privacy laws and regulations worldwide.

Although it’s common for a company to establish its own data retention requirements, it must adhere to certain data retention laws. For example, publicly-traded companies in the United States must establish a data retention policy to meet requirements from the Sarbanes-Oxley Act.

Healthcare organizations are subject to the data retention requirements of the Health Insurance Portability and Accountability Act (HIPAA), while companies that accept credit cards must adhere to the data retention and the data disposal requirements of the Payment Card Industry Data Security Standard (PCI DSS). Federal laws typically require companies in regulated industries to establish documented data retention policies.

In addition, certain companies must adhere to the data retention requirements of the General Data Protection Regulation (GDPR). The GDPR regulations apply to the personal data of citizens of the European Union (EU) as well as individuals and organizations whose data is stored within the European Union. However, it doesn’t matter if the company collecting the data is in the EU.

Consequently, it’s critical for organizations to craft data retention policies that explain what data is being collected, why it’s being collected, where it’s being held, and the data retention period, as it relates to the GDPR mandates. With such a far-reaching compliance regulation such as GDPR, it’s important that companies only keep personal data that’s necessary.

In addition to the regulatory frameworks that companies already have to comply with, organizations may also have contractual and business needs that require them to establish data retention schedules. 

As such, a robust data retention policy should specify how long an organization keeps its data and its records and how it plans to make exceptions to the schedule in the event of lawsuits or other disruptions. 

How do you determine appropriate data retention?

To implement an effective data retention policy, a company first has to identify the types of data it stores. Then, it has to classify that data. 

For example, healthcare organizations store people’s personal information, such as patient names, dates of birth, Social Security numbers, medical data and histories, and/or prescription information. Financial services companies store customers’ PINs, credit scores, payment history, and/or loan information.

Classifying data is a best practice for data retention because not all data requires the same retention period.  In most cases, business functions work with legal and IT departments to establish the data retention policy.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo