A standard data retention policy example will first set forth its purposes in retaining information, define the users it concerns, and clarify its scope. It will then refer to relevant reference documents, laws and regulations. Next it will usually discuss the detailed data retention requirements, such as a general retention schedule, rules for safeguarding data during retention, guidelines for destruction of data, and rules for breach, enforcement, and compliance.
When considering a personal data retention policy, you must carefully audit all data collected to be sure your data retention policy considers all personal data your organization stores. Data stored in databases, documents, email, financial data, images, production data, system state information, and videos might all be important for your personal data retention policy.
Next, consider the location of the data subject. In some cases, data located in different places may require unique data retention policies. This is, in part, because different business and legal requirements may control various databases, servers, hardware, and other locations.
Any data retention policy guidelines should touch upon backup frequency. Relevant questions include:
- Is there a risk of data loss? If so, how severe is that risk?
- Should we backup the data more than once a day? If so, how often?
- How long should we keep the data—and does it change depending on the type of data?
This is an example of a retention schedule set forth in this kind of data backup and retention policy:
- Retain every daily backup for 7 days
- Retain every weekly backup for 4 weeks
- Retain every monthly backup for 12 months
- Retain every annual backup for 7 years
Finally, ensure you eliminate any data silos or islands of data outside the backup data retention policy, including desktops, laptops, and remote offices.