What Is a Data Retention Policy?

Every solid backup plan has a data retention policy, which specifies how long your organisation stores backup data before either archiving it, overwriting it, or destroying (deleting) it. A data retention policy determines the following:

  • How long it’s stored.
  • How it’s stored.
  • Where it’s stored.
  • The format.
  • The medium storing it.
  • Who has authority over it.
  • What happens when someone who’s not authorised individual accesses the data.

For some businesses, a data retention policy is required for compliance.

Why Have a Data Retention Policy?

For most companies, a data retention policy is a compliance requirement of regulatory bodies. Even if it’s a requirement, a data retention policy gives administrators guidance on data backups and archives. The process of creating and planning one can help uncover storage issues, authorisation problems and any risks associated with the data.

The most prominent reason organisations develop a data retention policy is for compliance. Among other standards that oversee data storage and access, all of the following require organisations to have a retention policy:

  • Health Insurance Portability and Accounting Act of 1996 (HIPAA).
  • Gramm-Leach-Bliley Act of 1999.
  • Sarbanes-Oxley Act of 200.
  • Securities and Exchange Commission rules 17a-3 and 17a-4.

How to Create a Data Retention Policy?

Every organisation manages its planning and execution stages differently. But you can follow best practices to ensure that your plan is developed efficiently and smoothly. Having a solid archiving solution can also help simplify your legal discovery, regulatory compliance and user data access.

Data retention affects every department in the organisation. So a robust plan can advance the entire company and helps administrators and other IT staff fulfil their service level agreements.

Basic steps in the policy-planning and creation phase include:

  • Build a team. Unless you have internal staff capable of creating a retention policy, you need consultants, contractors or new hires. Though your current administrators are part of the process, it’s important to staff your team with professionals who understand data retention and best practices in creating a plan.
  • Categorise your data. Every organisation has different data types, access rules and storage locations. Categorise data so that sensitive information can be separated from general data. The sensitive data requires high-level cybersecurity rules and defences to protect it from threat actors.
  • Identify laws and compliance standards that regulate data. Compliance standards provide guidance as your policy rules are defined. Each compliance standard must be taken into consideration as violations can result in hefty fines.
  • Write the policy. Writing a policy requires input from multiple people. That may mean having one person who collects everyone’s thoughts and composes the policy, or multiple people contributing directly to the written policy.
  • Communicate the policy with administrators. Anyone who will be a part of the backup and retention plan should know the policies behind any rules and standards defined in the policy.
  • Review the policy each year. Like any policy, yours should be reviewed regularly to ensure it’s updated with any new compliance rules. Technology also changes. Your policy should reflect infrastructure changes, licensing, data collected, and how data is stored.

How Long Can Data Be Kept?

Data-retention timeframes depend on the sensitivity of the data and compliance requirements. Non-sensitive data must also be stored for a specific amount of time in case users must recover files for business purposes. If compliance standards that oversee your organisation do not have a specific data retention timeframe, it’s up to you to determine the best duration internally.

Unimportant data might only have a two-week data retention policy, but critical data such as healthcare information might need to be stored for decades. Retain data long enough to support any disaster recovery plans and for when a backup is used to restore business operations.

Storage capacity also factors into retention time. The cost associated with large data archives expands with increased data storage over longer periods of time. If the price of data storage is higher than the cost of losing it, consider deleting it rather than keeping it for months.

Data Retention Policy Best Practices

Before you write a data retention policy, follow best practices to ensure that it addresses every regulation, law and business use case. You can customise your plan to meet your organisational business needs, but there are a few standards that work across all businesses.

Classify All Data

It’s easy to skip data considered unimportant. But all files and data across the environment should be accounted for and included in the backup and retention plan. By classifying data, you ensure any sensitive information critical to business operations is securely stored for a while so that it can be restored or reviewed at any time.

Review Compliance Standards

Most organisations have at least one regulatory body that oversees data storage, backups, and retention. To stay compliant, you might need help from a consultant who is familiar with all the rules.

Deletion Policy

At some point, you'll no longer need the data and want to cut costs on storage by deleting it. The deletion policy determines when you can discard the data without affecting compliance or business recovery.

Make It a Team Effort

Any department or staff member affected by the retention policy should be able to provide input, especially when it refers to data that affects their team.

Tie Retention Into Backup Plans

Your backup plan determines the data that should be stored; your retention plan determines the timeframe for storage. The two policies should tie into one another.

Data Retention Policy Examples

Large technology organisations have publicly posted retention policies that you can use to model your own. Review several to find that will work well with your policy.

Here are a few good examples of retention policies: