Data retention policy

Data retention policies concern what data should be stored or archived, where that should happen, and for exactly how long. Once the retention time period for a particular data set expires, it can be deleted or moved as historical data to secondary or tertiary storage, depending on the requirements. This way, primary storage stays cleaner and the organization remains compliant.

Of course it is important to retain historical data for use, but data retention policies really exist to fulfill regulatory requirements. Organizations subject to these kinds of data retention requirements do not have the financial ability to retain all data forever, nor is that even a desirable goal.

Instead, organizations must demonstrate that they selectively retain and delete data according to the specific regulatory requirements of their industry and locale. For instance, personnel records and sensitive financial or medical records may all have different retention periods.

Organizations frequently develop their own data retention policies; however, they must also ensure those policies meet or exceed all applicable data retention laws – especially in tightly regulated verticals. For this reason, organizations often use a data retention policy template that is industry-specific.

A publicly-traded United States companies must establish a Sarbanes-Oxley Act (SOX) data retention policy, for example. Organizations that accept credit card payments must establish Payment Card Industry Data Security Standard (PCI DSS) data retention policies. Health care organizations must develop data retention policies that adhere to the Health Insurance and Portability and Accountability Act (HIPAA). And any business that processes or stores personal information about EU citizens must comply with the General Data Protection Regulation (GDPR), whether or not they are member states.

A standard data retention policy example will first set forth its purposes in retaining information, define the users it concerns, and clarify its scope. It will then refer to relevant reference documents, laws and regulations. Next it will usually discuss the detailed data retention requirements, such as a general retention schedule, rules for safeguarding data during retention, guidelines for destruction of data, and rules for breach, enforcement, and compliance.

When considering a personal data retention policy, you must carefully audit all data collected to be sure your data retention policy considers all personal data your organization stores. Data stored in databases, documents, email, financial data, images, production data, system state information, and videos might all be important for your personal data retention policy.

Next, consider the location of the data subject. In some cases, data located in different places may require unique data retention policies. This is, in part, because different business and legal requirements may control various databases, servers, hardware, and other locations.

Any data retention policy guidelines should touch upon backup frequency. Relevant questions include:

• Is there a risk of data loss? If so, how severe is that risk?
• Should we backup the data more than once a day? If so, how often?
• How long should we keep the data—and does it change depending on the type of data?

This is an example of a retention schedule set forth in this kind of data backup and retention policy:

• Retain every daily backup for 7 days
• Retain every weekly backup for 4 weeks
• Retain every monthly backup for 12 months
• Retain every annual backup for 7 years

Finally, ensure you eliminate any data silos or islands of data outside the backup data retention policy, including desktops, laptops, and remote offices.

Any organization subject to regulations needs a data retention policy, but there are other reasons to develop one. Data retention policy best practices also offer other benefits to any organization.

Data retention policies in information management are the crux of data management more generally. Both paper documentation and electronic information fuel the work of organizations, and often large streams of digital information cannot easily be stored or cataloged in traditional filing systems.

Identifying and capturing accounting records, customer correspondence, electronic communications financial data, sales data, and other mission critical digital business data does more than ensure compliance. These practices also help organizations resume operations following a disaster by backing up the correct data often enough to recover from emergencies.

Routinely auditing your data retention policy in information management also offers your organization the chance to remove outdated and duplicated files. Deleting duplicated and outdated data expedites searches, avoids confusion, and enhances the user experience.

Smarter, more streamlined data retention policies can make more storage available, by saving space for new data and files. Part of this kind of electronic data retention policy might be migrating older data to the cloud while eliminating duplicates. The entire process saves time and money overall with lower storage costs and increased speed.

Before modifying or creating a data retention policy, it’s important to consider many factors beyond what is legally required of the organization. For example, there are compelling business reasons—such as a need to redeem or reject credits or warranties—to retain data and records. There could even be a recall or change in standards in your industry.

As you consider how to create a data retention policy or audit an existing one, keep data retention policy best practices in sight:

• What is the industry standard for data retention and maintenance of business records?
• How does that standard and your organization’s data retention policy affect your ability to sell the organization or acquire other organizations in the future?
• Would your data retention and purging policy and IT data retention policy provide you with adequate data in case of an audit of tax records, or data on labor law practices?
• Would your employee data retention policy offer you sufficient information to defend against an employee tort such as a sexual harassment claim, or an employment practices claim?
• Can your customer data retention policy arm you in the event of a product liability lawsuit?
• Does your electronic data retention policy include protection from data loss and allow you to recover in case of server failure, premises disaster, data corruption from viruses, deliberate sabotage, accidental destruction, and other catastrophes?

The Druva Cloud Platform is a SaaS data protection solution engineered to manage and protect enterprise backup data across cloud, data center, and endpoint workloads. Built on AWS and delivered as-a-service, Druva Cloud Platform offers single-click enablement of cloud data retention across Amazon S3 storage tiers giving you predictable cloud storage costs with consumption-based pricing and no egress charges.

Explore Druva's long-term data retention applications on the website, and watch the video below to learn more.

Now that you’ve learned about the data retention policy, brush up on these related terms with Druva’s glossary:

• What is the 3-2-1 backup rule?
• What is a hybrid cloud?
• What is an RPO?