A Best Practices Guide for Data Retention Policies

November 12, 2019
Compliance, Data Protection

Best Practices for Data Retention Policies hero banner

Updated: July 17, 2023

According to recent research, we create a whopping 2.5 quintillion bytes of data each day. That's thousands of billions of bytes we need to process — and it's only going to expand over time. So much data can quickly get out of hand without an effective retention policy in place to manage it.

A data retention policy is also essential for complying with industry standards. Below, we'll go over the best practices for creating a data retention policy and why it's so important.

What Is a Data Retention Policy?

A data retention policy is a set of rules defining your company's procedures for holding on to older data. It may also be called a records retention policy.

This policy should clearly explain:

  • Storage and disposal protocols.
  • Data formatting guidelines.
  • Systems and devices for storing data.
  • Length of retention period.

Specific rules vary depending on which standards your organization follows. For example, any company that does business in the European Union must comply with the General Data Protection Regulation.

Why Are Data Retention Policies Important for Businesses?

The main goal of a data retention policy is to document your process for retaining and disposing of data. It's a key component of your organization's data management strategy, and its benefits go beyond meeting compliance requirements.

The secondary goal is to enable your organization to optimize data management systems so you can get the most out of your data.

The business benefits of an effective data retention policy include:

  • Disaster recovery: Proper data management involves frequent backups and archiving so you can quickly get back to work following a disaster.
  • Enhanced performance: Routine auditing and evaluation help you find and dispose of outdated or duplicated files. By freeing up system resources, you speed up search functionality and improve the user experience.
  • Cost savings: Streamlined data retention procedures help you save drive space, reducing storage and operational costs. Additionally, you reduce your chances of having to pay noncompliance-related fines.

What Laws Regulate Data Retention Policies?

Unlike many other countries, the United States does not have any overarching data retention laws in place. However, certain government agencies have rules in place for specific businesses and industries.

Here are some of the most common data retention requirements by industry:

  • Sarbanes-Oxley Act: Organizations must retain select auditing documents for seven years after the audit's completion.
  • Gramm-Leach-Bliley Act: This act's Safeguards Rule regulates how financial services companies protect customer information. It states that financial institutions must dispose of customer data no later than two years after its last use.
  • Fair Labor Standards Act: Employers must retain employee records, including personal information, payroll data and hours worked, for at least three years. Records containing the basis for computing wages have a mandatory retention period of only two years.
  • Payment Card Industry Data Security Standard: Any business accepting credit card payments must comply with this standard. While each business may create its own specific policies, all must submit covered data for annual audits.
  • Health Insurance Portability and Accountability Act: All businesses dealing with electronic health information must follow this act's retention requirements. Specifically, the act requires organizations to retain all electronic health records for at least six years.

Data Retention Policy Best Practices

When you're creating your data retention policy, keep these best practices in mind.

1. Start With Your Data

Manually discovering and tagging so much data is often time-consuming and inefficient. You can streamline the process with automation and artificial intelligence.

You can't manage data you don't know you have. Discovering and classifying all your data is a critical step in creating a data retention policy. This process eliminates data silos that limit visibility, such as departmental drives and employee devices, so you can organize as needed.

Manually discovering and tagging so much data is often time-consuming and inefficient. You can streamline the process with automation and artificial intelligence, which can locate hidden data and sort it into policy categories.

2. Get Buy-In From All Stakeholders

Stakeholder support is critical for making any change in your organization. That includes creating and updating your data retention policies.

Here are a few tips for bringing stakeholders on board:

  • Engage at the right time: Once you know who your key stakeholders are, determine the best point in the process for reaching out. You'll usually want to start with executives and other senior stakeholders before reaching out to general staff.
  • Clearly articulate your needs: Stakeholders are more likely to buy in if you're direct about what you need from them and when. Provide a hard deadline so they know how much time they have.
  • Show policy value: Be prepared to show your stakeholders how the policy will benefit your organization.

3. Document Lifecycle Management Procedures

Thorough documentation is an essential component of satisfying regulatory mandates because it serves as evidence that your company adheres to the required regulations. Data lifecycle requirements will vary based on your industry.

The typical data lifecycle consists of five stages:

  1. Creation: Your business generates and collects necessary data from various sources, such as applications, Internet of Things devices and user surveys.
  2. Storage: After classification, data undergoes processing and storage. This step helps ensure that your sensitive data meets all applicable regulations for the data type and industry.
  3. Usage and sharing: The data becomes available to the relevant business users. A data lifecycle management policy governs who these users are and for what purpose they can use the data.
  4. Archival: When the data is no longer useful for your day-to-day operations, you move it to a secondary or tertiary storage location. If the data becomes relevant to operations again during the retention period, you can restore it from the archive.
  5. Disposal or deletion: Once the required retention period is over — or the data becomes obsolete — you must securely destroy it to free up space for new data.

Consider creating two versions of your policy — one for legal purposes and the other for internal use. The internal version should be free of legal jargon so stakeholders can easily understand your retention requirements.

graphic which outlines the eight different best practices for data retention policymaking covered in the article

4. Only Retain the Data You Need

While it may seem like a safe way to ensure compliance with government and industry regulations, holding on to outdated data actually opens your organization up to increased risk.

The more data your organization keeps, the bigger your attack surface is. Shrinking your attack surface is critical for reducing your vulnerability to cyber attacks. An effective data retention policy is one of the best ways to reduce your attack surface.

Excessive data retention also takes up valuable storage space, which you'll need for new data. The less space is available, the more difficult it will be to scale your business when the time comes. Specifying what happens to each type of data after the retention period ends is vital for ensuring secure disposal. For example, if you must delete one type of data, clarify how and why you should do so.

5. Keep Your Policy Simple

Create two versions of your policy documentation for internal and legal use. The internal second copy will contain plain language, which ensures your employees and other key stakeholders will understand your policy and its necessity. This way, you maximize the likelihood they will adhere to your policy and enable compliance with the applicable regulations.

A good rule is to start small with your policy and make adjustments as you go. Begin by addressing the applicable regulatory requirements and adapt as needed.

6. Back Up Data Consistently

Having a complete backup of all your data is important for more than compliance purposes — it also significantly reduces the risk of data loss in the event of a disaster. Backing up your data creates a second copy that you store in a different location for quick recovery in the event of a disaster.

While you're writing your data retention policy, determine a backup retention schedule that both makes sense for your organization and complies with applicable regulations. For example, you might retain all daily backups for one week, or you might retain all monthly backups for one year. The right schedule for your company depends on your risk of data loss and applicable regulatory requirements.

A cloud-based Backup-as-a-Service solution streamlines the process by automatically running backups on a predefined schedule and storing them in a secured location. Look for a solution that integrates with other applications in your tech stack for optimal results.

7. Invest in an Archiving Solution

An archive differs from a backup in that it is a collection of inactive data you need to retain for compliance purposes. Traditional archives were placed on tapes or hard drives, but more modern systems use cloud-based repositories.

Moving old data to a secure archive opens up space on your primary drives, which enhances system performance and helps boost productivity. Additionally, a good archive improves your ability to meet key data retention policy requirements by streamlining organization.

When you're deciding which archiving system to use, look for one with built-in security features and advanced search functionality. These features allow you to save time looking for data while minimizing your risk of data loss due to cyberattacks.

8. Be Transparent

According to Cisco's 2022 Consumer Privacy Survey, data transparency is the best way companies can build trust with their customers. In fact, more respondents chose data transparency as their top concern than selling information. When customers know what your company does with their data, they're more likely to feel comfortable buying from you.

Essentially, be open about what data you retain from customers and end users, and allow users to exercise control over their data whenever possible.

How to Create a Data Retention Policy

While creating a data retention policy is a simple process, it's also vital for success in this data-driven age. Your data retention policy should address the following concerns:

  • What data you are collecting and why.
  • Where you will store all the data.
  • How your organization will protect sensitive data.
  • How long your organization will retain data.

Before you begin writing your policy, create a team that will work together in drafting the policy. This team should comprise an accurate representation of your entire organization, including your finance and accounting departments, in-house legal team and other affected department managers.

Data retention policies should address what data you're collecting and why, where you will store the data, how your organization will protect sensitive data, and how long your organization will retain data

Once you have a team together, follow these steps.

1. Data Discovery and Classification

This vital step involves finding and accurately classifying all your data, including but not limited to:

  • Databases.
  • Emails.
  • Customer data.
  • Employee documentation.
  • Billing information.
  • Transaction records.
  • Medical documentation.
  • Business contracts.

Carefully audit all data to ensure your policy encompasses all the personal data your organization stores. Then, organize all the data into policy categories. Because this process can be time-consuming, consider leveraging automation or artificial intelligence to sort your data for you.

2. Legal Review

Determine which laws and regulations apply to each type of data. For example, are there guidelines you need to follow regarding specific data types, or certain stages of the data lifecycle? Additionally, consider where you store your data and how this will affect compliance with key regulations.

While you need to prioritize legal compliance, you'll also want to consider how your policy will impact business efficacy. Design your policies so they streamline business-critical processes and promote operational efficiency for the best results.

3. Write the Policy

Thorough, accessible documentation is critical for more than compliance — employees need to be able to refer to the procedure any time they need to process data. Use straightforward language and clear step-by-step protocols to ensure everyone in your organization can follow the process.

Working with an IT consulting company can help you make sure your policy covers all your bases.

4. Assign Responsibilities

Determine who is responsible for archiving each type of data and how long they must retain those archives. Then, develop a plan for enforcing the policy. Collaboration with your HR or legal department will be vital for finding feasible enforcement methods.

Once you've finalized this step, communicate the policy to all affected employees and teams. Like with your overall retention policy, it's important to make thorough documentation accessible to all employees so they can refer to it as needed.

5. Update Policies as Needed

Data retention policy standards change frequently, so it's important to remember to leave room for future adjustments during the policy creation phase.

First, determine how often you will need to perform a data retention policy review. For example, if your organization is ISO-certified, you might want to review your retention policy every time the ISO standard updates.

Then, decide who will be responsible for conducting this review. Will you work with the same team who drafted the policy, or only a specific group of members? This decision may vary based on what types of data the policy covers and who is responsible for managing it.

Finally, make sure you can effectively communicate the changes to your employees every time you update your policies.

Consult With US Signal for Data Retention Guidance

Consult with US Signal for Data Retention Guidance

If your organization needs to create new data retention policies or update existing ones, consider working with US Signal. We offer managed IT services and technological solutions for companies across all industries, so you can harness the full power of your data.

Contact us to learn more about what we can do for your organization.

Additional Data Management Resources

To learn more about data management, check out these articles below from our blog or visit our resource center for whitepapers, e-books and more!