An organization’s data retention policy controls how it saves data for compliance or regulatory reasons, as well as how it disposes of data once it is no longer required. Even a simple data retention policy should clarify how records and data should be formatted, how long they must be kept, and what storage system or devices are used to retain them. All of these factors will typically be based on the rules of whatever regulatory body governs the industry.
Data retention policies concern what data should be stored or archived, where that should happen, and for exactly how long. Once the retention time period for a particular data set expires, it can be deleted or moved as historical data to secondary or tertiary storage, depending on the requirements. This way, primary storage stays cleaner and the organization remains compliant.
Of course it is important to retain historical data for use, but data retention policies really exist to fulfill regulatory requirements. Organizations subject to these kinds of data retention requirements do not have the financial ability to retain all data forever, nor is that even a desirable goal.
Instead, organizations must demonstrate that they selectively retain and delete data according to the specific regulatory requirements of their industry and locale. For instance, personnel records and sensitive financial or medical records may all have different retention periods and processes.
Organizations frequently develop their own data retention policies; however, they must also ensure those policies meet or exceed all applicable data retention laws – especially in tightly regulated verticals. For this reason, organizations often use a template that is industry-specific.
A publicly-traded United States companies must establish a Sarbanes-Oxley Act (SOX) data retention policy, for example. Organizations that accept credit card payments must establish Payment Card Industry Data Security Standard (PCI DSS) data retention policies. Health care organizations must develop data retention policies that adhere to the Health Insurance and Portability and Accountability Act (HIPAA). And any business that processes or stores personal information about EU citizens must comply with the General Data Protection Regulation (GDPR), whether or not they are member states.
A standard data retention policy example will first set forth its purposes in retaining information, define the users it concerns, and clarify its scope. It will then refer to relevant reference documents, laws and regulations. Next it will usually discuss the detailed data retention requirements, such as a general retention schedule, rules for safeguarding data during retention, guidelines for destruction of data, and rules for breach, enforcement, and compliance.
When considering a personal data retention policy, you must carefully audit all data collected to be sure it covers everything your organization stores. Data stored in databases, documents, email, financial data, images, production data, system state information, and videos might all be important for your personal policy
Next, consider the location of the data subject. In some cases, data located in different places may require unique data retention policies. This is, in part, because different business and legal requirements may control various databases, servers, hardware, and other locations.
Any data retention policy guidelines should touch upon backup frequency. Relevant questions include:
Is there a risk of data loss? If so, how severe is that risk?
Should we backup the data more than once a day? If so, how often?
How long should we keep the data—and does it change depending on the type of data?
This is an example of a schedule set forth in this kind of data backup and retention policy:
Retain every daily backup for 7 days
Retain every weekly backup for 4 weeks
Retain every monthly backup for 12 months
Retain every annual backup for 7 years
Finally, ensure you eliminate any data silos or islands of data outside the backup process, including desktops, laptops, and remote offices.
Before modifying or creating a data retention policy, it’s important to consider many factors beyond what is legally required of the organization. For example, there are compelling business reasons—such as a need to redeem or reject credits or warranties—to retain data and records. There could even be a recall or change in standards in your industry.
As you consider how to create a data retention policy or audit an existing one, keep these questions in mind:
What is the industry standard for data retention and maintenance of business records?
How does that standard and your organization’s data retention policy affect your ability to sell the organization or acquire other organizations in the future?
Would your existing storage and purging process and IT data retention policy provide you with adequate data in case of an audit of tax records, or data on labor law practices?
Would your employee data retention policy offer you sufficient information to defend against an employee tort such as a sexual harassment claim, or an employment practices claim?
Can your customer data retention policy arm you in the event of a product liability lawsuit?
Does your electronic data retention policy include protection from data loss and allow you to recover in case of server failure, premises disaster, data corruption from viruses, deliberate sabotage, accidental destruction, and other catastrophes?
Any organization subject to regulations needs a data retention policy, but there are other reasons to develop one. These storage best practices also offer other benefits to any organization.
Data retention policies in information management are the crux of data management more generally. Both paper documentation and electronic information fuel the work of organizations, and often large streams of digital information cannot easily be stored or cataloged in traditional filing systems.
Identifying and capturing accounting records, customer correspondence, electronic communications financial data, sales data, and other mission critical digital business data does more than ensure compliance. These practices also help organizations resume operations following a disaster by backing up the correct data often enough to recover from emergencies.
Routinely auditing your data retention policy in information management also offers your organization the chance to remove outdated and duplicated files. Deleting duplicated and outdated data expedites searches, avoids confusion, and enhances the user experience.
Smarter, more streamlined data retention policies can make more storage available, by saving space for new data and files. Part of this might include migrating older data to the cloud while eliminating duplicates. The entire process saves time and money overall with lower storage costs and increased speed.
Yes, Druva provides a comprehensive, cloud-native data retention solution designed for modern enterprise needs. Delivered as a fully-managed SaaS platform, Druva enables organizations to securely retain data across cloud, data centers, and endpoints with simplified management and predictable costs. Its intelligent automation ensures compliance with regulatory requirements while optimizing storage by automatically tiering data to cost-efficient Amazon S3 storage classes.
With Druva, you get scalable, frictionless data retention that reduces operational overhead and eliminates costly infrastructure. Protect your critical data long-term with seamless backup, archiving, and secure deletion — all accessible through a single pane of glass.
Explore Druva's long-term data cloud archive solution and watch the video below to learn more.
A data retention policy is a set of rules that an organization follows to manage how it stores, protects, and deletes data. It defines what data should be kept, for how long, where it is stored, and when it should be securely removed. This helps ensure compliance with legal and regulatory requirements.
A data retention policy is important because it helps organizations comply with laws, protect sensitive information, reduce storage costs, and improve efficiency. It also minimizes the risk of data breaches and ensures that necessary data is available for audits or business use.
The length of time to keep data depends on the type of data and applicable laws. For example, financial records might need to be kept for seven years, while employee records may have different retention periods. Organizations should follow legal and industry standards to decide the appropriate retention time.
After the retention period ends, data should be either securely deleted or archived based on the organization's policy. Secure deletion prevents unauthorized access, while archiving moves data to less accessible storage for historical reference. This helps free up space and reduce compliance risks.
To comply with various regulations, organizations need to create data retention policies that address the specific requirements of each relevant law, such as GDPR, HIPAA, or SOX. Regular audits, staff training, and using automation tools to enforce retention schedules help maintain compliance effectively.
Now that you’ve learned about the data retention policy, brush up on these related terms with Druva’s glossary:
