What Is a Data Retention Policy?

For some businesses, a data retention policy is required for compliance.

Every organization manages its planning and execution stages differently. But you can follow best practices to ensure that your plan is developed efficiently and smoothly. Having a solid archiving solution can also help simplify your legal discovery, regulatory compliance and user data access.

Data retention affects every department in the organization. So a robust plan can advance the entire company and helps administrators and other IT staff fulfill their service level agreements.

Basic steps in the policy-planning and creation phase include:

• Build a team. Unless you have internal staff capable of creating a retention policy, you need consultants, contractors or new hires. Though your current administrators are part of the process, it’s important to staff your team with professionals who understand data retention and best practices in creating a plan.
• Categorize your data. Every organization has different data types, access rules and storage locations. Categorize data so that sensitive information can be separated from general data. The sensitive data requires high-level cybersecurity rules and defenses to protect it from threat actors.
• Identify laws and compliance standards that regulate data. Compliance standards provide guidance as your policy rules are defined. Each compliance standard must be taken into consideration as violations can result in hefty fines.
• Write the policy. Writing a policy requires input from multiple people. That may mean having one person who collects everyone’s thoughts and composes the policy, or multiple people contributing directly to the written policy.
• Communicate the policy with administrators. Anyone who will be a part of the backup and retention plan should know the policies behind any rules and standards defined in the policy.
• Review the policy each year. Like any policy, yours should be reviewed regularly to ensure it’s updated with any new compliance rules. Technology also changes. Your policy should reflect infrastructure changes, licensing, data collected, and how data is stored.

Data-retention timeframes depend on the sensitivity of the data and compliance requirements. Non-sensitive data must also be stored for a specific amount of time in case users must recover files for business purposes. If compliance standards that oversee your organization do not have a specific data retention timeframe, it’s up to you to determine the best duration internally.

Unimportant data might only have a two-week data retention policy, but critical data such as healthcare information might need to be stored for decades. Retain data long enough to support any disaster recovery plans and for when a backup is used to restore business operations.

Storage capacity also factors into retention time. The cost associated with large data archives expands with increased data storage over longer periods of time. If the price of data storage is higher than the cost of losing it, consider deleting it rather than keeping it for months.

Before you write a data retention policy, follow best practices to ensure that it addresses every regulation, law and business use case. You can customize your plan to meet your organizational business needs, but there are a few standards that work across all businesses.

Classify All Data

It’s easy to skip data considered unimportant. But all files and data across the environment should be accounted for and included in the backup and retention plan. By classifying data, you ensure any sensitive information critical to business operations is securely stored for a while so that it can be restored or reviewed at any time.

Review Compliance Standards

Most organizations have at least one regulatory body that oversees data storage, backups, and retention. To stay compliant, you might need help from a consultant who is familiar with all the rules.

Deletion Policy

At some point, you'll no longer need the data and want to cut costs on storage by deleting it. The deletion policy determines when you can discard the data without affecting compliance or business recovery.

Make It a Team Effort

Any department or staff member affected by the retention policy should be able to provide input, especially when it refers to data that affects their team.

Tie Retention Into Backup Plans

Your backup plan determines the data that should be stored; your retention plan determines the timeframe for storage. The two policies should tie into one another.