The Essentials of Data Retention: Policies, Plans, and Templates

Smartsheet Contributor Andy Marker on Jul 17, 2019

In this article, you’ll learn about data retention policies, how to write one for your company, and what regulations and laws should guide your own policy. Plus, you can download free, customizable templates for Microsoft Word to help get you started. 

Included on this page, you'll find details on what a data retention policy is, data retention policy templates, data retention laws, and information on data retention best practices.


What Is Data Retention and What Is a Data Retention Policy?

Data retention, or records retention, is the practice of keeping records for set periods of time to comply with business needs, industry guidelines, and regulations. A strong data retention policy should detail how long data and records are kept and how to make exceptions to the schedule in the case of lawsuits or other disruptions. 

The policy should also explain who is responsible for each category of data, and if data that is no longer needed should be archived or deleted.

Empower your teams to be productive while maintaining enterprise-grade security

Smartsheet-IT-Demo-Screen

Smartsheet is a cloud-based platform that allows teams and organizations to link strategic initiatives and day-to-day operations, with the governance, compliance, and security that best-in-class IT demands.


Watch a demo


How to Create a Data Retention Policy and Schedule

It’s not easy to create a policy and schedule for deleting or archiving data. It will take research to discover which regulations, policies, and other factors you should apply to each category of data and how to account for exceptions. Each responsible person and team will need to contribute, and you can expect many different ideas. Here are some recommended steps:

  • Build a team. Determine who needs to contribute to the policy (e.g., legal, IT administrators, departmental business owners, etc.) and gain buy-in and representation from each team or person.
  • Sort data into categories. Each organization will have its own specific needs, but examples of common categories include tax documents, payroll documents, and sales documents.
  • Determine which regulations, policies, and laws need to apply to each data item. Again, each organization will differ. Location (of both customers and the business itself) will have a big impact.
  • Compose the policy. See the list of questions below to begin the discussion.
  • Set time limits. Give each item a default time limit for archiving or deletion. As a rule of thumb, permanent retention should be rare.
  • Communicate the policy. Notify all affected employees and teams, and let them know how it affects them.
  • Revisit the policy. Needs change, so part of the plan should be to revisit the policy on a regular basis and make adjustments.

When drafting your policy, start by answering these questions:

  • How will you determine applicable laws, rules, policies, or practices for each category?
  • Who has specific obligations under the data retention policy?
  • Who’s responsible for each item type?
  • How will you enforce the policy? 
  • What’s the communication plan (both initial and ongoing)?
  • When more than one law or policy covers a data category, how will you determine which one to follow?
  • When should items be archived, and when should they be deleted?
  • What items will be considered temporary records and therefore are not subject to the retention policy?
  • When should data be exempt from the deletion policy?
  • What is the process for exempting data?
  • Will original documents and copies be subject to different policies? 
  • Which documents will require revision histories?
  • For records that were involved in a lawsuit, governmental action, audit, or other legal action, have you considered the appeals period and statute of limitations process as part of the policy?
  • For employee and payroll records, have you considered the separation date for former employees?
  • Is any data subject to possible Freedom of Information Act (FOIA) requests?
  • Will you treat B2C data differently than B2B data?

How to Write a Data Retention Policy

You can download the following free Word templates and use them to write and manage your own data retention policy:

Use the following data retention plan template to create the policy. This template contains sections for laying out the key provisions of the policy, including how to respond to legal requests and how to record related business requirements, as well as procedures for deleting and archiving data. The template also contains a section for revision history, so you can track changes and updates.

 

Data Retention Policy Plan Template

Download Data Retention Plan Template — Word

If your organization will handle electronic records differently than paper records, use the electronic data retention plan template. The document contains the same sections as the data retention policy plan. But if you plan to treat electronic documents the same, this template is superfluous.

 

Electronic Data Retention Policy Plan Template

Download Electronic Data Retention Plan Template — Word

Use the data retention schedule template to record the retention periods for each data type. The template contains sections for common categories of business data, such as taxes, payroll, and leases. Each section contains common documents. There is also room at the bottom of each section to add other documents.  

 

Data Retention Policy Schedule Template

Download Data Retention Schedule Template

Excel | Word | PDF

Use this data retention implementation plan template to roll out the policy. The template includes sections for communication plan milestones, the name of the person responsible for each activity, the target date, and project status. It also has a section to remind users to revisit the policy on a recurring basis so they can add improvements. 

 

Data Retention Policy Implementation Template

Download Data Retention Implementation Plan Template

Excel | Word | PDF


What Is a Data Retention Period?

The data retention period is the amount of time that an organization keeps a particular type of data. Different data types should have different retention periods.


How Long Should Data Be Kept?

A good rule of thumb is that data should be kept only as long as it's useful (i.e., for your business needs) and as short a time as required (i.e., according to laws and regulations).

However, the answer is more complicated than that. Certain laws and regulations cover different data types, and if there’s a lawsuit or audit that involves the data, the answer will change. Industry policies and business needs may also come into play.


Why Is Data Retention Important?

You can use data to answer questions about a business’s performance, plan for its future, contact customers, and protect them in case of audits or lawsuits. To make this happen, you’ll need to know what data you have stored and how to access it.


What Is a Data Retention System?

A data retention system is a software program that automatically deletes or archives data, based on rules entered by the users. Some examples are IBM system storage archive manager, Oracle information lifecycle management, LZMA, and 7-Zip.


What Is Historical Data Retention?

Generally, historical data retention is just another name for data retention. The term is used as a setting title in some software products.


What Is Backup Data Retention?

A backup is a copy of the data made in case something happens to the original. When you apply a policy to that backup copy, it is known as backup data retention.


Tips for a Successful Data Retention Policy

Creating a data retention policy can seem daunting, but the following tips will alleviate stress and help you create the strongest possible policy for your organization:

  • Simple Is Better: Employees have a lot to do, so making their involvement easy will lead to higher chance of adherence. To keep things simple, limit the number of record categories and the number of retention periods, and have a once-per-year time when you request that employees delete or archive their records.
  • Communicate: Once you’ve created the policy, let everyone know their part in it. Also let them know when it’s time to review their records and delete or archive anything that has passed its retention period. 
  • Gather Feedback: As with all policies, get feedback from those who are impacted by it, and use their input to improve it.

Benefits of Data Retention

Once a data retention policy is in place, an organization will see many benefits from it, including the following:

  • The removal of outdated and duplicate data can reduce storage costs and free up more storage space.
  • Important and vital records and data will be saved for future uses.
  • You’ll enjoy greater flexibility and agility because only current and relevant data are in reports and views.
  • Archiving certain data rather than deleting it ensures that important records and documents are available for future use.
  • Having a set process for retaining data simplifies data management.
  • Managing data helps avoid civil, criminal, or financial penalties because you are complying with regulations and policies.
  • Deleting old content that’s no longer needed reduces the risk of litigation and security breaches.

What Is Data Retention Law?

Privacy and security concerns, law enforcement needs, and a few other factors have changed regulations and made data retention a little trickier than it used to be.

  • The Sarbanes-Oxley Act, which became law in the United States in 2002 after a number of accounting and corporate scandals, imposed restrictions on how data, specifically accounting and financial data, is stored and reported.
  • With the HIPAA Act, signed into law in the United States in 1996, record keepers had to be especially careful with the security of patient information and medical files. 
  • For companies doing business in the EU, the GDPR rule mandates how personal information is treated and how long it can be retained.
  • For government agencies, data is covered by the Freedom of Information Act (FOIA) and other open access laws. 
  • For organizations that process payments, the Payment Card Industry Data Security Standard (PCI DSS) requires that companies implement strict security standards.
  • For financial organization based in countries other than the United States, the Foreign Account Tax Compliance Act (FATCA) requires transactions and assets linked to U.S. citizens be reported to the Department of Treasury.
  • Organizations need to balance the needs of retaining data in case it’s needed vs. costs of continued storage.
  • Data can be used for multiple purposes, so determining what retention period applies may be complicated.

Challenges of Data Retention

While data retention provides many advantages, it also has its own set of problems. Below are some key challenges that need to be considered:

  • Organizations that operate in multiple jurisdictions or industries must determine which regulations or policies apply to their data, as regulations vary by state and data type.
  • Employees may store personal data on their work computer or cloud, which can have legal consequences for both the employee and the employer.
  • Legal actions and audits can wreak havoc on the policy.
  • Email presents a number of specific challenges:
  • A single email may cover multiple subjects, so it can be difficult to determine which part of the deletion policy it falls under.
  • Email is often an informal communication tool and may not be closely proofread, so it may contain inaccurate or incorrect information. 
  • Once sent, email can be forwarded multiple times without the knowledge or consent of the original sender, and it is not deleted everywhere.
  • Some people use email to store and organize information, making it hard to comply with data deletion schedules. And sorting through the saved emails is a herculean task, so most people don’t have the time or desire to tackle it.

Best Practices for Data Retention

When organizations create or revise a data retention policy, the following actions will help. 

  • First and foremost, have a data retention policy that meets legal requirements, business needs, and other important factors. 
  • When creating a policy, start small and ramp up as your needs change.
  • Keep it as simple as possible to help with employee adherence.
  • Implement different lifecycles for different data types, due to different legal and business impacts.
  • If data includes customer, subscriber, or user information, inform customers how their information is stored by type. 
  • Keep information on customers, subscribers, and users for no longer than necessary. If data has customer, subscriber, or user information that isn’t required (e.g., sales growth data), anonymize it.
  • When possible, allow customers, subscribers, and users to have control over how their data is employed, and give them instructions on what steps they can take.
  • Be able to justify the reasons behind the policy details.
  • Use software to manage the data retention tasks. Automation is good. Some examples of software that you can use are IBM system storage archive manager, Oracle information lifecycle management, LZMA, and 7-Zip.
  • Maintain the ability to override the software. For example, a lawsuit or audit may require you to keep data longer than the policy deems.
  • Consider whether data should be archived vs. deleted. Deletion is permanent, but archiving incurs running costs. Deletion costs less, but archiving can solve possible problems in the future.
  • Files that are not frequently accessed should be moved to a lower-level archive so that you can find other data more easily.
  • You should organize and store archived data so that you can access and search it when needed.
  • Back up data. This is not only a good idea for data retention, but for data management in general.
  • Ensure data is secure throughout its lifecycle. This is not specific to data retention.
  • Following the MoReq2010 standard helps improve electronic records management.  While it’s more prominent in the EU, it can be applied anywhere.

How to Test Data Retention Policies

If you use a software program, follow the instructions included. If your process is manual, your test will also have to be manual.


What Is a Data Retention Act?

A data retention act is any law that applies to how long data can or should be kept and how it’s secured. Some examples are listed below.

An Overview of U.S. Laws Affecting Data Retention

While there are laws that affect data retention, there isn’t a comprehensive law in the United States on the subject. In addition to those mentioned above, here are some laws you may need to consider: 

  • The Federal Trade Commission Act deals with privacy and data security.
  • The Financial Services Modernization Act deals with the collection, use, and disclosure of consumer financial information.
  • The Fair Credit Reporting Act impacts anyone who uses or provides information impacting consumer credit reports and those who provide consumer-reporting information.
  • The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) regulates the collection and use of email addresses.
  • The Telephone Consumer Protection Act regulates the collection and use of telephone numbers.
  • The Judicial Redress Act allows citizens of certain nations the right to sue in U.S. courts for privacy violations.

In addition, states have passed laws that impact data retention policies. California has been the most active state in this area, but all states (plus the District of Columbia, the U.S. Virgin Islands, and Puerto Rico) have laws requiring notification of security breaches involving personal information.


Terrorism-Related Data Retention and U.S. Government Agencies

If you are looking for information about data retention by U.S. government agencies for crime and terrorism prevention, see NSA and FBI.


An Overview of the GDPR Data Retention Principles

The General Data Protection Regulation (GDPR) is an EU law that went into effect in 2018. It deals with data privacy for people living in the European Union. 

In addition, the GDPR applies to non-EU organizations that offer goods or services to, observe the behavior of, or process and hold personal data about EU citizens, no matter where the company is headquartered. 

The key points that the GDPR covers are the responsibilities of data controllers (i.e., any organization that collects data) and data processors, as well as the rights of data subjects (e.g., customers or users of a website, mobile subscribers). The GDPR also lays out the penalties for noncompliance.

Personal data is information relating to an EU citizen, whether it concerns their private, professional, or public life.

Rules for Data Processors and Controllers

Without explicit permission from a data subject, data processors must have a legal reason to process data. When an organization collects data, it must inform data subjects of what will happen with the data.

Data processors and controllers must build data protection into their processes and systems. 

Data controllers must pseudonymize stored data, so it can’t be linked to the data subject without additional steps. For example, it can be encrypted, or identifying data can tokenized (i.e., personally identifying data is replaced with a non-identifying token that can be linked to the data subject when the data is processed).

Data processors must keep records of processing activities. 

In the case of data breaches, data controllers must notify authorities within 72 hours, and data processors must notify data controllers and authorities. Data processors and controllers must notify data subjects if they determine there may be any adverse effects.


Rights of Data Subjects

Data subjects can gain access to the data any organization holds about them and learn how it is used. Data subjects also have the right to request erasure of personal data under certain circumstances.


Why You Need a GDPR Data Retention Policy

Noncompliance can bring fines and investigations. If an organization has a single user or customer in the EU, that organization is impacted by GDPR. Being proactive is a good choice.


GDPR Maximum Retention Period

The GDPR doesn’t give a strict time limit for data retention. Instead, a couple of guidelines are part of the law.

  • Article 5 (e) of the GDPR says that personal data shall be kept no longer than necessary for the purposes for which it is being processed. Under some circumstances, data may be stored for longer periods (e.g., public interest or scientific and historical research purposes). This is known as the minimization principle
  • Recital 39 of the GDPR says the period the personal data is stored should be limited to a strict minimum, and the time limits should be periodically reviewed.

Operational Responses to the GDPR

The GDPR will require a number of operational changes in affected companies, from organizational through processes to policies. The IAPP (International Association of Privacy Professionals), a resource for people interested in privacy, has compiled a list of changes that organizations should consider making:

  • Data Inventory and Mapping: Ensure that you know what affected data you have and where it’s stored.
  • Lawful Basis for Processing: Understand what personal data can be processed in each situation and follow those laws.
  • Build and Maintain a Data Governance System: Ensure you have the structures and processes in place to follow the law.
  • Data Protection Impact Assessments and Data Protection by Default and by Design: Conduct risk assessments and ensure facets of the law (such as anonymization of data) are built into systems and processes. 
  • Preparing and Implementing Data-Retention and Record-Keeping Policies and Systems: This is exactly what it sounds like.
  • Transparency and Privacy Notices: Disclose to customers and users how their data will be used.
  • Accommodating Data Subjects’ Rights: Establish a process to respond to customer and user requests about their data.
  • Data Breach and the GDPR: Prepare a plan for data breaches that includes required notifications. 
  • Vetting and Contracting with Processors: Ensure that any vendors that handle data are in compliance.
  • Communicating with Supervisory Authorities: Establish relationships with the proper authorities and plan what needs to be communicated. 

Read the IAPP’s list of recommendations with links to more detailed discussion of each.


What Is the Data Retention Directive?

The Data Retention Directive was part of EU law (formally known as “Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC"). It was overridden by a court decision in 2014, so it is no longer enforced.


Data Retention and Destruction Policy Examples

Ironically, part of data retention is data destruction. When data is no longer needed, it can be destroyed to reduce storage costs and the chances of it being stolen. Here are a few examples that have been posted online:

  • FIRST: A safety-related group for first responders.
  • OASIS: An organization promoting open-source software.  
  • NCoN: A resource for nonprofits.

NIST Data Retention Policy

NIST (National Institute of Standards and Technology) is part of the U.S. Department of Commerce and is tasked with advocating innovation and competitiveness.


Data Retention and Privacy Policies for Major Online Companies

Online activity generates a lot of data. The businesses where much of our online activity happens have posted their policies on their websites:


Improve Data Retention with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

 

 

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Try Smartsheet for Free Get a Free Smartsheet Demo