What Is a Data Retention Policy?

Definition

Every solid backup plan has a data retention policy, which specifies how long your organization stores backup data before either archiving it, overwriting it, or destroying (deleting) it. A data retention policy determines how long it’s stored, how it’s stored, where it’s stored, the format, the medium storing it, who has authority over it, and what happens when an unauthorized individual accesses the data. For some businesses, a data retention policy is required for compliance.

Why Have a Data Retention Policy?

For most companies, a data retention policy is a compliance requirement of various regulatory bodies. Even if it’s a requirement, a data retention policy gives administrators guidance on data backups and archives. The process of creating and planning one can help with the discovery of storage issues, authorization, and any risks associated with the data.

The most prominent reason organizations develop a data retention policy is for compliance. For example, the Health Insurance Portability and Accounting Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act of 1999, the Sarbanes-Oxley Act of 2002, and Securities and Exchange Commission rules 17a-3 and 17a-4 all require organizations to have a retention policy, among other standards that oversee data storage and access.

How to Create a Data Retention Policy?

Every organization manages its planning and execution stages differently, but you can follow best practices to ensure that your plan is developed efficiently and smoothly. Additionally, having a solid archiving solution can help simplify your legal discovery, regulatory compliance, and user data access. Data retention affects every department in the organization, so a robust plan positively impacts the entire company and helps administrators and other IT staff fulfill their service level agreements.

Basic steps in the policy-planning and creation phase include:

  • Build a team. Unless you have internal staff capable of creating a retention policy, you need consultants, contractors, or new hires. Though your current administrators are part of the process, it’s important to staff your team with professionals who understand data retention and best practices in creating a plan.
  • Categorize your data. Every organization has different data types, access rules, and storage locations. Data should be categorized so that sensitive information can be separated from general data. The sensitive data requires high-level cybersecurity rules and defenses to protect it from threat actors.
  • Identify laws and compliance standards that regulate data. Compliance standards provide guidance as your policy rules are defined. Each compliance standard must be taken into consideration as violations can result in hefty fines.
  • Write the policy. Writing a policy requires input from multiple people, which means one person can collect everyone’s thoughts and compose the policy, or multiple people can contribute to the written policy.
  • Communicate the policy with administrators. Anyone who will be a part of the backup and retention plan should know the policies behind any rules and standards defined in the policy.
  • Review the policy each year. Like any policy, it should be reviewed regularly to ensure it’s updated with any new compliance rules. Technology also changes, and the policy should reflect infrastructure changes, licensing, data collected, and how data is stored.

How Long Can Data Be Kept for?

Data retention timeframes depend on the sensitivity of the data and compliance requirements. Non-sensitive data must also be stored for a specific amount of time in case users must recover files for business purposes. If compliance standards that oversee your organization do not have a specific data retention timeframe, you must determine the best duration internally.

Unimportant data might only have a two-week data retention policy, but critical data such as healthcare information might need to be stored for decades. Retain data long enough to support any disaster recovery plans and for when a backup is used to restore business operations.

Storage capacity also factors into retention time. The cost associated with large data archives expands with increased data storage over longer periods of time. If the price of data storage is higher than the cost of losing it, consider deleting it over keeping it for months.

Data Retention Policy Best Practices

Before you write a data retention policy, you should follow best practices to ensure that it addresses every regulation, law, and business use case. You can customize your plan to meet your organizational business needs, but there are a few standards that work across all businesses.

Classify All Data

It’s easy to skip data considered unimportant, but all files and data across the environment should be accounted for and included in the backup and retention plan. By classifying data, you ensure any sensitive information critical to business operations is securely stored for a while so that it can be restored or reviewed at any time.

Review Compliance Standards

Most organizations have at least one regulatory body that oversees data storage, backups, and retention. To stay compliant, you might need help from a consultant who is familiar with all the rules.

Deletion Policy

At some point, you'll no longer need the data and want to cut costs on storage by deleting it. The deletion policy determines when you can discard the data without affecting compliance or business recovery.

Make It a Team Effort

Any department or staff member affected by the retention policy should be able to provide input, especially when it refers to data that affects their team.

Tie Retention Into Backup Plans

Your backup plan determines the data that should be stored, and the retention plan determines the timeframe for storage. The two policies should tie into one another.

Data Retention Policy Examples

Large technology organizations have retention policies that you can use to model your own. They post them publicly, so you can review them to find that will work well with your policy.

A few good examples of retention policies that you can review: