What Is A Data Retention Policy? Definition, Best Practices, & Examples [+ Free Template]

Data retention, or record retention, is exactly what it sounds like — the practice of storing and managing data and records for a designated period of time. There are any number of reasons why a business might need to retain data: to maintain accurate financial records, to abide by local, state and federal laws, to comply with industry regulations, to ensure that information is easily accessible for eDiscovery and litigation purposes and so on. To fulfill these and other business requirements, it’s imperative that every organization develop and implement data retention policies.

A data retention period refers to the amount of time that an organization holds onto information. Different data should have different retention periods. Best practice dictates that data should only be kept only as long as it’s useful. That said, certain laws and regulations have specific requirements regarding data retention periods, so it’s important to do your research before determining the retention period for a data retention policy.

A data retention policy, or a record retention policy, is a business’ established protocol for maintaining information. Typically, a data retention policy will define:

• What data needs to be retained
• The format in which it should be kept
• How long it should be stored for
• Whether it should eventually be archived or deleted
• Who has the authority to dispose of it, and
• What procedure to follow in the event of a policy violation

Overall, the goal of a retention policy is to provide guidelines that an organization can follow to ensure that they remain compliant with regulatory archiving requirements and are capable of complying with eDiscovery or other requests. Retention policies can vary between organizations depending on a number of factors, including the industry in which the company operates, where it does business, the type of data they collect or if they accept credit card payments.

In addition to ensuring compliance and thus helping companies avoid the consequences of regulatory violations, data retention is important for technical reasons. Whether storing data on premises or in the cloud, holding on to too much of it for too long can become expensive and cumbersome in the long run. With a data retention policy in place, companies are also better able to effectively manage their data and free up crucial storage space.

Every business should have a data retention policy (or, if necessary, policies). To give you an idea of what yours might look like, here are some retention policy examples from well-known companies:

Google

The tech giant breaks down its data retention policy in simple terms: “Some data you can delete whenever you like, some data is deleted automatically, and some data we retain for longer periods of time when necessary.”

More specifically, users are able to remove personal information, activity items, photos and documents and delete their accounts entirely, at will. Google doesn’t go into too much detail about what types of data they retain for longer periods, but reasons they keep this data on file include for fraud prevention, tax and accounting purposes, legal and regulatory requirements and continuity of services.

Microsoft

Microsoft explains its data retention policy similarly, noting that the company “retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements.”

Other criteria used to determine retention periods includes whether the data is able to be accessed or deleted by the customer, if data is sensitive, whether customers consent to their data being stored for longer periods and whether the data is subject to retention laws.

Netflix

When it comes to its customers’ personal information, Netflix’s data retention policy boils down to this: “We retain personal information as required or permitted by applicable laws and regulations, including to honor your choices, for our billing or records purposes, and as otherwise necessary to fulfill the purposes described in the Netflix Privacy Statement.”

Personal information that Netflix permits users to delete at will includes account profiles, viewing history, payment methods, phone numbers, email addresses and dates of birth.

Wikipedia

Wikipedia is committed to retaining user data “for the shortest possible time that is consistent with the maintenance, understanding, and improvement of the Wikimedia Sites, and our obligations under applicable U.S. law.” To that end, the popular reference site outlines several of its retention rules for non-public data in its policy, including the following timeframes:

• Nonpublic personal information (collected automatically from a user): Deleted, aggregated or de-identified after 90 days
• Nonpublic personal information (collected via account settings): Until a user deletes or updates
• Non-personal information, not associated with a user account: Indefinitely
• Articles read: 90 days at most

Though the process for creating a record retention policy will vary depending on the type of data you capture and applicable laws and regulations, it will probably look something like this:

• Assemble your data retention policy development team.
• Sort data into policy categories; you’ll need to create a different data retention policy for each category.
• Figure out which laws and regulations your business is subject to based on data type, location, industry and so on.
• For each record retention policy:
  • Determine which items will be archived (and for how long) and which ones will be deleted
  • Decide who will be responsible for each item type
  • Develop a plan for enforcing the policy, and
  • Communicate the policy to all affected employees and teams
• Create the policy.
• Update each policy on a regular basis and take care to communicate any changes made to your employees.

Once you’ve created your data retention policy, the next step is implementation. As these policies are centered around data storage, it’s crucial that you work closely with your IT department to handle the technical aspects involved in putting your policy into practice — such as setting up and managing your company’s archiving solution.

It’s also important for your company’s legal team to have a hand in implementation. Data storage systems rely on rules to determine which data should be stored and for how long, as well as when certain files can be removed. As these rules tend to be based on compliance mandates, your legal team will have the most up-to-date knowledge of the proper retention periods, and should be consulted during the process.

From time to time, the data retention policies you have in place may need updating. Whether this is due to changing compliance standards or business needs, it’s a good idea to ask yourself the following questions when revisiting your policy:

• Have the industry or legal standards for data retention changed?
• When it comes to data archiving and deletion, do your current policies enable you to produce sufficient records in the event of a tax audit or lawsuit?
• Do your retention policies consider the latest data protections against breaches, server malfunctions or other catastrophic events?

Though there are numerous operational benefits to implementing data retention policies, many businesses establish such policies to avoid running afoul of local, state and federal laws and various industry regulations. The fact is that many laws and regulations include specific language related to records management, including what data needs to be stored and for how long. Failure to comply with these stipulations could leave your organization vulnerable to financial, civil and/or criminal penalties.

Here’s how a data retention policy can ensure both legal and regulatory compliance:

Legal Compliance Implications

In the event your company becomes involved in any legal disputes, your data retention policy may mean the difference between producing critical evidence and facing sanctions or other penalties and consequences as a result of being unable to do so.

These requests for electronically stored information (ESI) — also known as eDiscovery requests — are issued as part of litigation proceedings, government investigations or Freedom of Information Act requests.

Regulatory Compliance Implications

To give you a better sense of the role that data retention plays in regulatory compliance, let’s look at a few mandates with specific data retention policy requirements:

• According to Article 5(e) of the General Data Protection Regulation (GDPR), data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” GDPR permits organizations to store personal data for longer periods “insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).”
• Although the Health Insurance Portability and Accountability Act (HIPAA) does not have any universal requirements for the retention of medical records — instead, these vary from state to state — it does include specific language concerning the retention of records associated with HIPAA. Records associated with HIPAA include, but are not limited to:
  • Notice of privacy practices
  • Patient authorizations
  • Employee sanction policies
  • Incident and breach notification documentation
  • Physical security maintenance records
  • Access logs
  • And so on

According to subsection CFR § 164.316(b)(2)(i), documentation must be retained “for 6 years from the date of its creation or the date when it last was in effect, whichever is later.” Additionally, according to CFR § 164.316(b)(2)(ii) and CFR § 164.316(b)(2)(iii), documentation must be made “available to those persons responsible for implementing the procedures to which the documentation pertains” and must be reviewed periodically and “[updated] as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.”

• According to the U.S. Department of Labor, the Fair Labor Standards Act (FLSA) requires employers to maintain records for a period of at least three years. Records to compute pay, which include time cards, work and time schedules and records of additions to or reductions from wages, must be kept for two years. All records must be made readily for inspection by Department of Labor representatives.
• According to Sec. 802(a)(1) of the Sarbanes-Oxley Act (SOX): “Any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 applies, shall maintain all audit or review workpapers for a period of five years from the end of the fiscal period in which the audit or review was concluded.”

Relevant workpapers, as defined by Sec. 802(a)(2), include memoranda, correspondence, communications, electronic records and other documents, which are created, sent or received in connection to an audit or review. Any public company found in violation of SOX’s data retention requirements is subject to fines, imprisonment or both.

For more information on the provisions outlined in SOX, please refer to our blog post on SOX compliance.

To avoid larger problems down the road, it’s important to be aware of issues that can stem from your data retention policy. These are some of the most common challenges that you should be aware of as you think through the details:

• Potential for regulatory non-compliance: With the number of regulations that mandate retention periods, it’s crucial to make sure that you don’t accidentally overlook any.
• Foreseeing future data needs: It can be difficult to anticipate which documents, files or communications your company will need access to five or 10 years from now. This is why it’s of the utmost importance to consult with your legal team before creating retention rules.
• Budget planning: Keep the cost of data storage in mind, since new data will be added to your archiving solution every day. As your storage needs grow over time, your supporting tech stack will also need to evolve to keep up.
• Making the right updates: While you must revise your policy to include any new laws or regulations that apply to your industry, these aren’t the only updates that affect your data retention policies. As your company introduces new services, departments or products, it’s vital for your policies to address these changes as well.

Although there’s no one-size-fits-all approach to data retention — requirements will vary depending on the size of your business, the industry in which you operate, the type of data you process and so on — there are a few best practices to follow when creating a data retention policy:

• Do your research first. Make sure you are aware of and understand all the regulations that apply to your business and any legal obligations before you get started.
• Determine what your business needs are. Although legal requirements come first, any data retention policies that you implement should also be designed in such a way that they streamline business-critical processes and promote efficiency.
• Perform a data audit. To ensure that your data retention policy accounts for all the data types your organization collects and stores, it’s crucial to take inventory of the information you have on hand. Everything from databases and documents to videos, images and emails should be considered.
• Make data retention policy development a team effort. In order to create a record retention policy that is truly comprehensive and represents the interests of your entire organization, you need input from multiple different voices, including your in-house legal counsel, finance department, accounting team and other various departmental managers and supervisors.
• Don’t overcomplicate things. Use simple language and straightforward terms when drafting retention policies. This will not only make them easier for employees to understand but will also increase the likelihood of adherence. And remember: You can always start small and make changes over time as needed.
• Create different policies for different data types. Not every piece of information needs to be stored for the same length of time — it varies depending on the business need and applicable regulatory and/or legal requirements.
• Generate two versions of your data retention policy. If your organization operates in an industry that’s subject to tight regulations, you’ll need to create a formal copy of your retention policy in order to satisfy mandates. As this version is typically written in legalese, it’s also a good idea to make a second version for your internal teams that’s more easily digestible.
• Be transparent. Let your customers, subscribers and users know what information you intend to hold on to, how it will be stored and how it will be used. Where possible, give them control over how their data is used.
• Invest in an archiving solution. Certain email, social media and text/SMS messaging archiving platforms enable you to create custom record retention policies and automate the data retention process, thereby saving you time and effort. Look for a solution that enables you to organize data according to your business requirements, offers robust search functionality and has built-in security features.
• Consistently back up your data. Doing so will not only protect you from a compliance standpoint, but also reduce or eliminate the risk of data loss in the event of an outage or unexpected downtime.
• Don’t hold onto data longer than is necessary. Although it might seem like best practice to operate with an abundance of caution and retain data indefinitely, doing so actually leaves your business open to risk. Excess data not only consumes valuable storage resources and slows down systems, it also makes you more vulnerable in the event of a data breach or security incident. That said, deletion is permanent, so you’ll want to carefully consider which data to archive and which to get rid of.

There’s no question that data is one of the most valuable — and heavily regulated — resources in the world today. In order to keep your data safe, remain compliant with all applicable laws and regulations and enhance efficiency within your organization, it’s vital that you implement a data retention policy plan that will stand the test of time.

For even more guidance on how to create a comprehensive data retention policy, download our free data retention policy template here:

Download our Data Retention Policy Template 

From email to social media content to text/SMS messages, each of Intradyn’s state-of-the-art archiving solutions enable you to create custom data retention policies to ensure regulatory compliance. And that’s not all — with powerful search functionality, role-based permissions and user authentication, a robust eDiscovery and litigation feature set and more, it’s easy to see why Intradyn is the archiving solution of choice for businesses across all industries. Find out what Intradyn is capable of with our free on-demand demo, or by talking to one of our archiving specialists today.