Data Retention Policy 101: Best Practices, Examples & More [with Template]
Data is one of the most valuable resources in the world today — even more valuable than oil, according to some sources. As a result, data has become a precious commodity to organizations across all industries, and a target for hackers. Given the sheer volume of data that businesses collect — as much as 7.5 septillion gigabytes per day — and the number of laws and regulations that exist to protect that data, it’s imperative that your organization develop and enforce robust data retention policies.
In this blog post, we’ll take a closer look at what data retention is, why it matters, how to create a data retention policy and more.
What is Data Retention?
Data retention, or record retention, is exactly what it sounds like — the practice of storing and managing data and records for a designated period of time. There are any number of reasons why a business might need to retain data: to maintain accurate financial records, to abide by local, state and federal laws, to comply with industry regulations, to ensure that information is easily accessible for eDiscovery and litigation purposes and so on. To fulfill these and other business requirements, it’s imperative that every organization develop and implement data retention policies.
What Is a Data Retention Policy & Why Is It Important?
A data retention policy, or a record retention policy, is a business’ established protocol for maintaining information. Typically, a data retention policy will define:
- What data needs to be retained
- The format in which it should be kept
- How long it should be stored for
- Whether it should eventually be archived or deleted
- Who has the authority to dispose of it, and
- What procedure to follow in the event of a policy violation
Though the primary purpose of a data retention policy is to ensure proper data management in accordance with relevant legal statutes and regulations, it’s also an excellent way to enhance efficiency within your organization.
What Is a Data Retention Period?
A data retention period refers to the amount of time that an organization holds onto information. Different data should have different retention periods. Best practice dictates that data should only be kept only as long as it’s useful. That said, certain laws and regulations have specific requirements regarding data retention periods, so it’s important to do your research before determining the retention period for a data retention policy.
How Do Data Retention Policies Ensure Legal & Regulatory Compliance?
Though there are numerous operational benefits to implementing data retention policies, many businesses establish such policies to avoid running afoul of local, state and federal laws and various industry regulations. The fact is that many laws and regulations include specific language related to records management, including what data needs to be stored and for how long. Failure to comply with these stipulations could leave your organization vulnerable to financial, civil and/or criminal penalties.
To give you a better sense of the role that data retention plays in compliance, let’s look at a few laws and regulations with specific data retention policy requirements:
- According to Article 5(e) of the General Data Protection Regulation (GDPR), data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” GDPR permits organizations to store personal data for longer periods “insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).”
- Although the Health Insurance Portability and Accountability Act (HIPAA) does not have any universal requirements for the retention of medical records — instead, these vary from state to state — it does include specific language concerning the retention of records associated with HIPAA. Records associated with HIPAA include, but are not limited to:
- Notice of privacy practices
- Patient authorizations
- Employee sanction policies
- Incident and breach notification documentation
- Physical security maintenance records
- Access logs
- And so on
According to subsection CFR § 164.316(b)(2)(i), documentation must be retained “for 6 years from the date of its creation or the date when it last was in effect, whichever is later.” Additionally, according to CFR § 164.316(b)(2)(ii) and CFR § 164.316(b)(2)(iii), documentation must be made “available to those persons responsible for implementing the procedures to which the documentation pertains” and must be reviewed periodically and “[updated] as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.”
- According to the U.S. Department of Labor, the Fair Labor Standards Act (FLSA) requires employers to maintain records for a period of at least three years. Records to compute pay, which include time cards, work and time schedules and records of additions to or reductions from wages, must be kept for two years. All records must be made readily for inspection by Department of Labor representatives.
- According to Sec. 802(a)(1) of the Sarbanes-Oxley Act (SOX):
“Any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 applies, shall maintain all audit or review workpapers for a period of five years from the end of the fiscal period in which the audit or review was concluded.”
Relevant workpapers, as defined by Sec. 802(a)(2), include memoranda, correspondence, communications, electronic records and other documents, which are created, sent or received in connection to an audit or review. Any public company found in violation of SOX’s data retention requirements is subject to fines, imprisonment or both.
For more information on the provisions outlined in SOX, please refer to our blog post on SOX compliance.
For even more examples of legal and regulatory record retention policy requirements, check out our blog post on email retention laws.
What Data Retention Policy Best Practices Should I Follow?
Although there’s no one-size-fits-all approach to data retention — requirements will vary depending on the size of your business, the industry in which you operate, the type of data you process and so on — there are a few best practices to follow when creating a data retention policy:
- Do your research, first. Make sure you are aware of and understand all the regulations that apply to your business and any legal obligations before you get started.
- Determine what your business needs are. Although legal requirements come first, any data retention policies that you implement should also be designed in such a way that they streamline business-critical processes and promote efficiency.
- Make data retention policy development a team effort. In order to create a record retention policy that is truly comprehensive and represents the interests of your entire organization, you need input from multiple different voices, including your in-house legal counsel, finance department, accounting team and other various departmental managers and supervisors.
- Don’t overcomplicate things. Use simple language and straightforward terms when drafting retention policies. This will not only make them easier for employees to understand but will also increase the likelihood of adherence. And remember: You can always start small and make changes over time as needed.
- Create different policies for different data types. Not every piece of information needs to be stored for the same length of time — it varies depending on the business need and applicable regulatory and/or legal requirements.
- Be transparent. Let your customers, subscribers and users know what information you intend to hold on to, how it will be stored and how it will be used. Where possible, give them control over how their data is used.
- Invest in an archiving solution. Certain email, social media and text/SMS messaging archiving platforms enable you to create custom record retention policies and automate the data retention process, thereby saving you time and effort. Look for a solution that enables you to organize data according to your business requirements, offers robust search functionality and has built-in security features.
- Consistently back up your data. Doing so will not only protect you from a compliance standpoint, but also reduce or eliminate the risk of data loss in the event of an outage or unexpected downtime.
- Don’t hold onto data longer than is necessary. Although it might seem like best practice to operate with an abundance of caution and retain data indefinitely, doing so actually leaves your business open to risk. Excess data not only consumes valuable storage resources and slows down systems, it also makes you more vulnerable in the event of a data breach or security incident. That said, deletion is permanent, so you’ll want to carefully consider which data to archive and which to get rid of.
What Are Some Data Retention Policy Examples?
How Do I Create a Data Retention Policy?
Though the process for creating a record retention policy will vary depending on the type of data you capture and applicable laws and regulations, it will probably look something like this:
- Assemble your data retention policy development team.
- Sort data into policy categories; you’ll need to create a different data retention policy for each category.
- Figure out which laws and regulations your business is subject to based on data type, location, industry and so on.
- For each record retention policy:
- Determine which items will be archived (and for how long) and which ones will be deleted
- Decide who will be responsible for each item type
- Develop a plan for enforcing the policy, and
- Communicate the policy to all affected employees and teams
- Create the policy.
- Update each policy on a regular basis and take care to communicate any changes made to your employees.
For even more guidance on how to create a data retention policy, download our free data retention policy template here.
Make Data Retention Easy with Intradyn
From email to social media content to text/SMS messages, each of Intradyn’s state-of-the-art archiving solutions enable you to create custom data retention policies to ensure regulatory compliance. And that’s not all — with powerful search functionality, role-based permissions and user authentication, a robust eDiscovery and litigation feature set and more, it’s easy to see why Intradyn is the archiving solution of choice for businesses across all industries. Find out what Intradyn is capable of with our free on-demand demo, or by talking to one of our archiving specialists today.