What Is Data Retention and What Is a Data Retention Policy?
Data retention, or records retention, is the practice of keeping records for set periods of time to comply with business needs, industry guidelines, and regulations. A strong data retention policy should detail how long data and records are kept and how to make exceptions to the schedule in the case of lawsuits or other disruptions.
The policy should also explain who is responsible for each category of data, and if data that is no longer needed should be archived or deleted.
How to Create a Data Retention Policy and Schedule
It’s not easy to create a policy and schedule for deleting or archiving data. It will take research to discover which regulations, policies, and other factors you should apply to each category of data and how to account for exceptions. Each responsible person and team will need to contribute, and you can expect many different ideas. Here are some recommended steps:
- Build a team. Determine who needs to contribute to the policy (e.g., legal, IT administrators, departmental business owners, etc.) and gain buy-in and representation from each team or person.
- Sort data into categories. Each organization will have its own specific needs, but examples of common categories include tax documents, payroll documents, and sales documents.
- Determine which regulations, policies, and laws need to apply to each data item. Again, each organization will differ. Location (of both customers and the business itself) will have a big impact.
- Compose the policy. See the list of questions below to begin the discussion.
- Set time limits. Give each item a default time limit for archiving or deletion. As a rule of thumb, permanent retention should be rare.
- Communicate the policy. Notify all affected employees and teams, and let them know how it affects them.
- Revisit the policy. Needs change, so part of the plan should be to revisit the policy on a regular basis and make adjustments.
When drafting your policy, start by answering these questions:
- How will you determine applicable laws, rules, policies, or practices for each category?
- Who has specific obligations under the data retention policy?
- Who’s responsible for each item type?
- How will you enforce the policy?
- What’s the communication plan (both initial and ongoing)?
- When more than one law or policy covers a data category, how will you determine which one to follow?
- When should items be archived, and when should they be deleted?
- What items will be considered temporary records and therefore are not subject to the retention policy?
- When should data be exempt from the deletion policy?
- What is the process for exempting data?
- Will original documents and copies be subject to different policies?
- Which documents will require revision histories?
- For records that were involved in a lawsuit, governmental action, audit, or other legal action, have you considered the appeals period and statute of limitations process as part of the policy?
- For employee and payroll records, have you considered the separation date for former employees?
- Is any data subject to possible Freedom of Information Act (FOIA) requests?
- Will you treat B2C data differently than B2B data?
How to Write a Data Retention Policy
What Is a Data Retention Period?
The data retention period is the amount of time that an organization keeps a particular type of data. Different data types should have different retention periods.
How Long Should Data Be Kept?
Why Is Data Retention Important?
You can use data to answer questions about a business’s performance, plan for its future, contact customers, and protect them in case of audits or lawsuits. To make this happen, you’ll need to know what data you have stored and how to access it.
What Is a Data Retention System?
A data retention system is a software program that automatically deletes or archives data, based on rules entered by the users. Some examples are IBM system storage archive manager, Oracle information lifecycle management, LZMA, and 7-Zip.
What Is Historical Data Retention?
Generally, historical data retention is just another name for data retention. The term is used as a setting title in some software products.
What Is Backup Data Retention?
A backup is a copy of the data made in case something happens to the original. When you apply a policy to that backup copy, it is known as backup data retention.
Tips for a Successful Data Retention Policy
Benefits of Data Retention
What Is Data Retention Law?
Privacy and security concerns, law enforcement needs, and a few other factors have changed regulations and made data retention a little trickier than it used to be.
- The Sarbanes-Oxley Act, which became law in the United States in 2002 after a number of accounting and corporate scandals, imposed restrictions on how data, specifically accounting and financial data, is stored and reported.
- With the HIPAA Act, signed into law in the United States in 1996, record keepers had to be especially careful with the security of patient information and medical files.
- For companies doing business in the EU, the GDPR rule mandates how personal information is treated and how long it can be retained.
- For government agencies, data is covered by the Freedom of Information Act (FOIA) and other open access laws.
- For organizations that process payments, the Payment Card Industry Data Security Standard (PCI DSS) requires that companies implement strict security standards.
- For financial organization based in countries other than the United States, the Foreign Account Tax Compliance Act (FATCA) requires transactions and assets linked to U.S. citizens be reported to the Department of Treasury.
- Organizations need to balance the needs of retaining data in case it’s needed vs. costs of continued storage.
- Data can be used for multiple purposes, so determining what retention period applies may be complicated.
Challenges of Data Retention
Best Practices for Data Retention
How to Test Data Retention Policies
If you use a software program, follow the instructions included. If your process is manual, your test will also have to be manual.
What Is a Data Retention Act?
A data retention act is any law that applies to how long data can or should be kept and how it’s secured. Some examples are listed below.
An Overview of U.S. Laws Affecting Data Retention
Terrorism-Related Data Retention and U.S. Government Agencies
An Overview of the GDPR Data Retention Principles
Rules for Data Processors and Controllers
Rights of Data Subjects
Data subjects can gain access to the data any organization holds about them and learn how it is used. Data subjects also have the right to request erasure of personal data under certain circumstances.
Why You Need a GDPR Data Retention Policy
Noncompliance can bring fines and investigations. If an organization has a single user or customer in the EU, that organization is impacted by GDPR. Being proactive is a good choice.
GDPR Maximum Retention Period
Operational Responses to the GDPR
What Is the Data Retention Directive?
The Data Retention Directive was part of EU law (formally known as “Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC"). It was overridden by a court decision in 2014, so it is no longer enforced.
Data Retention and Destruction Policy Examples
NIST Data Retention Policy
NIST (National Institute of Standards and Technology) is part of the U.S. Department of Commerce and is tasked with advocating innovation and competitiveness.
Data Retention and Privacy Policies for Major Online Companies
Improve Data Retention with Real-Time Work Management in Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.