The Essentials of Data Retention: Policies, Plans, and Templates

Data retention, or records retention, is the practice of keeping records for set periods of time to comply with business needs, industry guidelines, and regulations. A strong data retention policy should detail how long data and records are kept and how to make exceptions to the schedule in the case of lawsuits or other disruptions. 

The policy should also explain who is responsible for each category of data, and if data that is no longer needed should be archived or deleted.

It’s not easy to create a policy and schedule for deleting or archiving data. It will take research to discover which regulations, policies, and other factors you should apply to each category of data and how to account for exceptions. Each responsible person and team will need to contribute, and you can expect many different ideas. Here are some recommended steps:

• Build a team. Determine who needs to contribute to the policy (e.g., legal, IT administrators, departmental business owners, etc.) and gain buy-in and representation from each team or person.
• Sort data into categories. Each organization will have its own specific needs, but examples of common categories include tax documents, payroll documents, and sales documents.
• Determine which regulations, policies, and laws need to apply to each data item. Again, each organization will differ. Location (of both customers and the business itself) will have a big impact.
• Compose the policy. See the list of questions below to begin the discussion.
• Set time limits. Give each item a default time limit for archiving or deletion. As a rule of thumb, permanent retention should be rare.
• Communicate the policy. Notify all affected employees and teams, and let them know how it affects them.
• Revisit the policy. Needs change, so part of the plan should be to revisit the policy on a regular basis and make adjustments.

When drafting your policy, start by answering these questions:

• How will you determine applicable laws, rules, policies, or practices for each category?
• Who has specific obligations under the data retention policy?
• Who’s responsible for each item type?
• How will you enforce the policy? 
• What’s the communication plan (both initial and ongoing)?
• When more than one law or policy covers a data category, how will you determine which one to follow?
• When should items be archived, and when should they be deleted?
• What items will be considered temporary records and therefore are not subject to the retention policy?
• When should data be exempt from the deletion policy?
• What is the process for exempting data?
• Will original documents and copies be subject to different policies? 
• Which documents will require revision histories?
• For records that were involved in a lawsuit, governmental action, audit, or other legal action, have you considered the appeals period and statute of limitations process as part of the policy?
• For employee and payroll records, have you considered the separation date for former employees?
• Is any data subject to possible Freedom of Information Act (FOIA) requests?
• Will you treat B2C data differently than B2B data?

You can download the following free Word templates and use them to write and manage your own data retention policy:

Use the following data retention plan template to create the policy. This template contains sections for laying out the key provisions of the policy, including how to respond to legal requests and how to record related business requirements, as well as procedures for deleting and archiving data. The template also contains a section for revision history, so you can track changes and updates.

‌ Download Data Retention Plan Template — Word

If your organization will handle electronic records differently than paper records, use the electronic data retention plan template. The document contains the same sections as the data retention policy plan. But if you plan to treat electronic documents the same, this template is superfluous.

‌ Download Electronic Data Retention Plan Template — Word

Use the data retention schedule template to record the retention periods for each data type. The template contains sections for common categories of business data, such as taxes, payroll, and leases. Each section contains common documents. There is also room at the bottom of each section to add other documents.  

Download Data Retention Schedule Template

Excel | Word | PDF

Use this data retention implementation plan template to roll out the policy. The template includes sections for communication plan milestones, the name of the person responsible for each activity, the target date, and project status. It also has a section to remind users to revisit the policy on a recurring basis so they can add improvements. 

Download Data Retention Implementation Plan Template

Excel | Word | PDF

The data retention period is the amount of time that an organization keeps a particular type of data. Different data types should have different retention periods.

A good rule of thumb is that data should be kept only as long as it's useful (i.e., for your business needs) and as short a time as required (i.e., according to laws and regulations).

However, the answer is more complicated than that. Certain laws and regulations cover different data types, and if there’s a lawsuit or audit that involves the data, the answer will change. Industry policies and business needs may also come into play.

You can use data to answer questions about a business’s performance, plan for its future, contact customers, and protect them in case of audits or lawsuits. To make this happen, you’ll need to know what data you have stored and how to access it.

A data retention system is a software program that automatically deletes or archives data, based on rules entered by the users. Some examples are IBM system storage archive manager, Oracle information lifecycle management, LZMA, and 7-Zip.

Generally, historical data retention is just another name for data retention. The term is used as a setting title in some software products.

A backup is a copy of the data made in case something happens to the original. When you apply a policy to that backup copy, it is known as backup data retention.

Creating a data retention policy can seem daunting, but the following tips will alleviate stress and help you create the strongest possible policy for your organization:

• Simple Is Better: Employees have a lot to do, so making their involvement easy will lead to higher chance of adherence. To keep things simple, limit the number of record categories and the number of retention periods, and have a once-per-year time when you request that employees delete or archive their records.
• Communicate: Once you’ve created the policy, let everyone know their part in it. Also let them know when it’s time to review their records and delete or archive anything that has passed its retention period. 
• Gather Feedback: As with all policies, get feedback from those who are impacted by it, and use their input to improve it.

Once a data retention policy is in place, an organization will see many benefits from it, including the following:

• The removal of outdated and duplicate data can reduce storage costs and free up more storage space.
• Important and vital records and data will be saved for future uses.
• You’ll enjoy greater flexibility and agility because only current and relevant data are in reports and views.
• Archiving certain data rather than deleting it ensures that important records and documents are available for future use.
• Having a set process for retaining data simplifies data management.
• Managing data helps avoid civil, criminal, or financial penalties because you are complying with regulations and policies.
• Deleting old content that’s no longer needed reduces the risk of litigation and security breaches.

Privacy and security concerns, law enforcement needs, and a few other factors have changed regulations and made data retention a little trickier than it used to be.

• The Sarbanes-Oxley Act, which became law in the United States in 2002 after a number of accounting and corporate scandals, imposed restrictions on how data, specifically accounting and financial data, is stored and reported.
• With the HIPAA Act, signed into law in the United States in 1996, record keepers had to be especially careful with the security of patient information and medical files. 
• For companies doing business in the EU, the GDPR rule mandates how personal information is treated and how long it can be retained.
• For government agencies, data is covered by the Freedom of Information Act (FOIA) and other open access laws. 
• For organizations that process payments, the Payment Card Industry Data Security Standard (PCI DSS) requires that companies implement strict security standards.
• For financial organization based in countries other than the United States, the Foreign Account Tax Compliance Act (FATCA) requires transactions and assets linked to U.S. citizens be reported to the Department of Treasury.
• Organizations need to balance the needs of retaining data in case it’s needed vs. costs of continued storage.
• Data can be used for multiple purposes, so determining what retention period applies may be complicated.

When organizations create or revise a data retention policy, the following actions will help. 

• First and foremost, have a data retention policy that meets legal requirements, business needs, and other important factors. 
• When creating a policy, start small and ramp up as your needs change.
• Keep it as simple as possible to help with employee adherence.
• Implement different lifecycles for different data types, due to different legal and business impacts.
• If data includes customer, subscriber, or user information, inform customers how their information is stored by type. 
• Keep information on customers, subscribers, and users for no longer than necessary. If data has customer, subscriber, or user information that isn’t required (e.g., sales growth data), anonymize it.
• When possible, allow customers, subscribers, and users to have control over how their data is employed, and give them instructions on what steps they can take.
• Be able to justify the reasons behind the policy details.
• Use software to manage the data retention tasks. Automation is good. Some examples of software that you can use are IBM system storage archive manager, Oracle information lifecycle management, LZMA, and 7-Zip.
• Maintain the ability to override the software. For example, a lawsuit or audit may require you to keep data longer than the policy deems.
• Consider whether data should be archived vs. deleted. Deletion is permanent, but archiving incurs running costs. Deletion costs less, but archiving can solve possible problems in the future.
• Files that are not frequently accessed should be moved to a lower-level archive so that you can find other data more easily.
• You should organize and store archived data so that you can access and search it when needed.
• Back up data. This is not only a good idea for data retention, but for data management in general.
• Ensure data is secure throughout its lifecycle. This is not specific to data retention.
• Following the MoReq2010 standard helps improve electronic records management.  While it’s more prominent in the EU, it can be applied anywhere.

If you use a software program, follow the instructions included. If your process is manual, your test will also have to be manual.

A data retention act is any law that applies to how long data can or should be kept and how it’s secured. Some examples are listed below.

If you are looking for information about data retention by U.S. government agencies for crime and terrorism prevention, see NSA and FBI.

The General Data Protection Regulation (GDPR) is an EU law that went into effect in 2018. It deals with data privacy for people living in the European Union. 

In addition, the GDPR applies to non-EU organizations that offer goods or services to, observe the behavior of, or process and hold personal data about EU citizens, no matter where the company is headquartered. 

The key points that the GDPR covers are the responsibilities of data controllers (i.e., any organization that collects data) and data processors, as well as the rights of data subjects (e.g., customers or users of a website, mobile subscribers). The GDPR also lays out the penalties for noncompliance.

Personal data is information relating to an EU citizen, whether it concerns their private, professional, or public life.

Ironically, part of data retention is data destruction. When data is no longer needed, it can be destroyed to reduce storage costs and the chances of it being stolen. Here are a few examples that have been posted online:

• FIRST: A safety-related group for first responders.
• OASIS: An organization promoting open-source software.  
• NCoN: A resource for nonprofits.

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.