Data Retention Policy: Everything You Need To Know

Data retention policies are central guidelines that govern how an organization handles its data. These policies help determine the purpose of data held, what laws and regulations apply to it, how long it should be kept, and how it should be archived or deleted when the time comes.

Data is the most valuable asset today’s organizations have, but a lot of this critical information is scattered, disorganized, and undiscoverable. An effective data retention policy helps you stay compliant with laws and regulations, reduce inefficiencies and extract business value from your data. A solid data retention policy can help create order in the data landscape. In this article, we’ll tell you how. 

Contents: 

What is data retention?
Why is data retention important?
Why your organization needs a data retention policy
Data retention policy best practices: how to set it up in 5 steps
How to define a compliant GDPR data retention policy
Retention Policies & Preservation Policies
In Conclusion: the benefits of data retention 

What is data retention? 

Data retention is the storage and management of data collected by an organization. It is the lifecycle management of data, from inception to deletion. Data is the most valuable asset modern organizations hold. However, left unmanaged, it can also lead to problems in terms of both cost and compliance. For this reason, data retention policies are implemented to manage the lifecycle of an organization’s stored data. 

A data retention scheme is the totality of policies and procedures that define how your organization handles its data. It seeks to provide an inventory of the data held, and determines how long data needs to be kept, and how the archiving or deletion of data should be handled. 

Why is data retention important? 

The reason data retention is important is a mix of practical and legal considerations. From a practical point of view, data retention policies help to provide structure to a chaotic, scattered and vital part of any organization. In a report on their data in 2020, Okta noted that the average company used 88 applications, a number that has been trending upwards for years now. A data retention policy can help organizations understand what type of data is stored where. 

A second practical consideration is that data does not remain valuable by default. In reality, up to 69% of the data stored by organizations holds no legal or business value. Holding on to this much useless information isn’t only an inefficient use of storage capacity, it is also risky from a legal point of view. The longer an organization retains a piece of data, the less value that data will have and the more risk it presents. 

Finally, Retention also has a regulatory dimension. Data protection regulations, such as the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) set limits to how much data regarding can be stored and for how long. To remain compliant, an organization must be able to protect personal information, minimize privacy risk and be able to respond to Data Subject Access requests. To do this, they must have a clear retention policy under GDPR or CCPA. 

Why your organization needs a data retention policy 

As noted above, data retention provides significant value to an organization. The key takeaway is that this value comes in two ways. 

First, in terms of saving costs. By remaining compliant, organizations are able to avoid issues with regulators and reduce the risk of running afoul of privacy laws and other regulations that may apply. Data retention policies also save costs more directly. Data storage isn’t free, thus reducing the amount of digital debris stored saves money. 

Second, a data retention policy generates value. It does this primarily by reducing inefficiencies, ridding the company datastores of deadwood. The process of creating a data retention policy also leads organizations to become more familiar with their data sources. This process may lead to the discovery of redundancies. 

Data retention policy best practices: how to set it up in 5 steps

How exactly a data retention policy should look depends on a range of factors, not the least of which being what type of organization it applies to and what types of data the organization holds. Some of the data retention policy best practices include:

1. Get to know your data and data sources 

Create a comprehensive list of the applications currently in use in your organization, and what data each application holds. Once this data is identified, it is time to classify it. The classification of data may be a multi-step workflow. This way, it is easy to first distinguish the important data from the rest, then to specify what type of important data it is. 

In addition, take the time to learn more about the sources of the data. As mentioned, most modern organizations have dozens or hundreds of applications active. For the retention policy, it is worth documenting how these systems are being used and what data they store. Most of this information can be easily learned by speaking to the people who make use of the application. If it concerns cloud products, make sure to check with vendors about their retention policies as well. 

2. Understand the legal requirements 

Depending on your country and industry, rules and regulations regarding the data you hold may apply. Understanding which requirements apply to the data you hold is vital when formulating a data retention policy. 

3. Synergize Data Retention with general Compliance policy 

The data retention policy works hand-in-hand with the compliance policy. In addition to remaining compliant with external regulations, a compliance policy might also have provisions for limiting risk in general. By keeping Compliance in mind when setting the Data Retention policy, you can ensure these policies strengthen each other. 

4. Determine and outline data retention periods 

With the previous steps completed, a determination can be made about retention periods. This is relatively straightforward for legal obligations. Ensure that data is not deleted or archived before a legally required retention period is over. 

If no legal obligations apply, determine the value of the data. This can be done by discussing it with the relevant stakeholders from other departments. As stated earlier, data that holds no value holds risk. Unless retention has a clear benefit, it shouldn’t happen. During these conversations, the idea is to ask “can we delete/archive this?” rather than “can we keep this?” 

When retention periods are established, deletion or archiving procedures should be specified. Depending on the type of data this may be an automated or manual procedure. If data is archived rather than deleted, how long will that data remain in the archive? 

For future reference, we advise adding a short explanation of the retention period to be included. These choices are made for good reason, after all. It never hurts to write those reasons down, just in case questions arise about them later. 

4. Keeping the data retention policy up-to-date 

A data retention policy is no fire-and-forget solution. Once established and implemented, it needs to be maintained. A data retention policy is a living document, which will need to be adapted as rules, requirements and circumstances change. The policy needs to be updated as new data sources, data types, and regulations come along. It is also vital that employees are notified when the policy is updated. 

How to define a compliant GDPR data retention policy?

Though General Data Protection Regulation doesn't put a limit to how long personal data can be stored, it does require companies to outline their own retention time frames in advance as well as justify them prior to data collection. Keeping data after the stipulated retention window has passed it is considered to be a violation of the GDPR regulation. Some of the things you should consider when defining and implementing a data retention policy under GDPR:

  • Outline strict timeframes to how long you will retain data and how the decision to delete the data will be subsequently made;
  • Specify clearly the types of data that fall under your policy and how long each will be retained for;
  • Ensure that sensitive data, such as sexual orientation, race, health information is not stored longer than necessary;
  • Conduct regular reviews of your data to assess whether the information is still relevant;

Retention Policies & Preservation Policies 

In practice, the name ‘retention policy’ is a bit of a misnomer. Retention policies tend to be about deleting data rather than holding on to it. Especially when that data no longer holds value and no longer needs to be kept for legal reasons. Preservation policies exist specifically to (temporarily) counteract retention policies. Such a policy might be necessary for a wide range of reasons. 

In the United States, preservation policies often exist to ensure potential evidence related to a legal suit remains available. If such data is lost, this is considered spoliation of evidence, which can have severe negative consequences. To effectively preserve evidence, organizations use legal holds (sometimes called litigation holds) to notify custodians that specific data is subject to the preservation policy. 

Outside the US, preservation policies may exist to ensure information remains available for other reasons. These reasons include internal investigations, regulatory investigations, M&A, and many others. If for whatever reason a specific exception needs to be made from the retention policy, a preservation policy can facilitate it. 

In Conclusion: the benefits of data retention 

With all the requirements and inventories, it’s easy to lose track of the benefits of retention. Those benefits aren’t only about avoiding issues, either. In fairness, enabling compliance with internal, legal and regulatory requirements is the key benefit. But there’s also the reduction of storage costs due to less data being stored. The expedition of backup processes and data recovery, owing to the reduction in the amount of data stored. Finally, thanks to superior organization and an overall reduction in size, the database is more easily searched when needed. This means that the data that is retained can be accessed faster and easier.