Every solid backup plan has a data retention policy, which specifies how long your organization stores backup data before either archiving it, overwriting it, or destroying (deleting) it. A data retention policy determines the following:

  • How long it’s stored.
  • How it’s stored.
  • Where it’s stored.
  • The format.
  • The medium storing it.
  • Who has authority over it.
  • What happens when someone who’s not authorized individual accesses the data.

For some businesses, a data retention policy is required for compliance.

Cybersecurity Education and Training Begins Here

Start a Free Trial

Here’s how your free trial works:

  • Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
  • Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
  • Experience our technology in action!
  • Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks

Fill out this form to request a meeting with our cybersecurity experts.

Thank you for your submission.

Why Have a Data Retention Policy?

For most companies, a data retention policy is a compliance requirement of regulatory bodies. Even if it’s a requirement, a data retention policy gives administrators guidance on data backups and archives. The process of creating and planning one can help uncover storage issues, authorization problems and any risks associated with the data.

The most prominent reason organizations develop a data retention policy is for compliance. Among other standards that oversee data storage and access, all of the following require organizations to have a retention policy:

  • Health Insurance Portability and Accounting Act of 1996 (HIPAA).
  • Gramm-Leach-Bliley Act of 1999.
  • Sarbanes-Oxley Act of 200.
  • Securities and Exchange Commission rules 17a-3 and 17a-4.

How to Create a Data Retention Policy?

Every organization manages its planning and execution stages differently. But you can follow best practices to ensure that your plan is developed efficiently and smoothly. Having a solid archiving solution can also help simplify your legal discovery, regulatory compliance and user data access.

Data retention affects every department in the organization. So a robust plan can advance the entire company and helps administrators and other IT staff fulfill their service level agreements.

Basic steps in the policy-planning and creation phase include:

  • Build a team. Unless you have internal staff capable of creating a retention policy, you need consultants, contractors or new hires. Though your current administrators are part of the process, it’s important to staff your team with professionals who understand data retention and best practices in creating a plan.
  • Categorize your data. Every organization has different data types, access rules and storage locations. Categorize data so that sensitive information can be separated from general data. The sensitive data requires high-level cybersecurity rules and defenses to protect it from threat actors.
  • Identify laws and compliance standards that regulate data. Compliance standards provide guidance as your policy rules are defined. Each compliance standard must be taken into consideration as violations can result in hefty fines.
  • Write the policy. Writing a policy requires input from multiple people. That may mean having one person who collects everyone’s thoughts and composes the policy, or multiple people contributing directly to the written policy.
  • Communicate the policy with administrators. Anyone who will be a part of the backup and retention plan should know the policies behind any rules and standards defined in the policy.
  • Review the policy each year. Like any policy, yours should be reviewed regularly to ensure it’s updated with any new compliance rules. Technology also changes. Your policy should reflect infrastructure changes, licensing, data collected, and how data is stored.

How Long Can Data Be Kept?

Data-retention timeframes depend on the sensitivity of the data and compliance requirements. Non-sensitive data must also be stored for a specific amount of time in case users must recover files for business purposes. If compliance standards that oversee your organization do not have a specific data retention timeframe, it’s up to you to determine the best duration internally.

Unimportant data might only have a two-week data retention policy, but critical data such as healthcare information might need to be stored for decades. Retain data long enough to support any disaster recovery plans and for when a backup is used to restore business operations.

Storage capacity also factors into retention time. The cost associated with large data archives expands with increased data storage over longer periods of time. If the price of data storage is higher than the cost of losing it, consider deleting it rather than keeping it for months.

Data Retention Policy Best Practices

Before you write a data retention policy, follow best practices to ensure that it addresses every regulation, law and business use case. You can customize your plan to meet your organizational business needs, but there are a few standards that work across all businesses.

Classify All Data

It’s easy to skip data considered unimportant. But all files and data across the environment should be accounted for and included in the backup and retention plan. By classifying data, you ensure any sensitive information critical to business operations is securely stored for a while so that it can be restored or reviewed at any time.

Review Compliance Standards

Most organizations have at least one regulatory body that oversees data storage, backups, and retention. To stay compliant, you might need help from a consultant who is familiar with all the rules.

Deletion Policy

At some point, you'll no longer need the data and want to cut costs on storage by deleting it. The deletion policy determines when you can discard the data without affecting compliance or business recovery.

Make It a Team Effort

Any department or staff member affected by the retention policy should be able to provide input, especially when it refers to data that affects their team.

Tie Retention Into Backup Plans

Your backup plan determines the data that should be stored; your retention plan determines the timeframe for storage. The two policies should tie into one another.

Data Retention Policy Examples

Large technology organizations have publicly posted retention policies that you can use to model your own. Review several to find that will work well with your policy.

Here are a few good examples of retention policies:

Ready to Give Proofpoint a Try?

Start with a free Proofpoint trial.