data retention policy
Author Picture
Listen to: "5 Key Steps to Developing a Solid Data Retention Policy"

What Is a Data Retention Policy and Why Do You Need One?

A data retention policy is a key step in managing and protecting an organization’s important data to avoid any civil, criminal and financial penalties that sometimes result from poor data management practices.

Local, state, federal and international policies, rules, statutes and laws, as well as industry-imposed regulations, specify the types of data that businesses must retain. Additionally, these bodies set the length of time that specific types of data must be retained and maintained, along with the way in which that data is stored.

Ultimately, you may find that one of the best reasons—not to suggest compliance isn’t a good enough reason, on its own—to develop an air-tight data retention policy, which may touch on both electronic and hard copy files, comes down to the benefits it provides your organization, including:

Remove Outdated and Duplicated Data

Going through your data retention policy on a regular basis gives you the opportunity to clean house and remove duplicated and outdated files to avoid confusion and expedite any necessary searches.

Create and Save More Storage Space

If you store your own data, you can always use the extra storage space to make room for new files. Alternatively, if you have moved your data to a cloud storage provider, you can help keep costs lower by cleaning up your data before migration or while already in cloud storage if you discover duplicates.

Considering the ever-increasing volume and complexity of data in today’s global business environment, along with regulatory oversight involved and the benefits to your company, creating a data retention policy may need to move to the top of your to-do list.

5 Key Steps to Developing a Solid Data Retention Policy

While a good portion of what you need to do to prepare to begin composing your data retention policy depends on your specific industry, as well as your state, which will determine certain statutes with which you must comply, there are some basic steps everyone can follow to stay on track.

It may help you to take a look at five key steps that are universal to the process, which we believe will help you build a solid data retention policy that is easy to follow, maintain and update, as necessary.

  1. Build Your Data Retention Policy Development Team
  2. Determine All the Regulations That Are Applicable to Your Business
  3. Define the Data to Be Included in Your Data Retention Policy
  4. Compose Your Data Retention Policy
  5. Make Sure All Employees Are Aware of—and Fully Understand—the Company’s Data Retention Policy

1. Build Your Data Retention Policy Development Team

Not only do you want to include your legal team and accounting professionals, but you also want to make sure you include diverse voices within your company who may also hold a stake in the various data in your system. While your instinct may default to “delete,” your accounting manager may hold valid—if not critically important—reasons for retaining certain records.

Key team members to add to your data retention policy development team include:

  • Staff members responsible for data retention settings
  • In-house legal counsel
  • Departmental managers and supervisors
  • Anyone who receives and manages financial reports
  • Anyone who generates financial reports

2. Determine All the Regulations That Are Applicable to Your Business

A few regulatory bodies and acts that determine certain data retention durations and the conditions of data removal include:

  • The Health Insurance Portability and Accountability Act (HIPAA) is related to the healthcare industry and applies to healthcare organizations and any business that works with those organizations.
  • The Sarbanes-Oxley Act (SOX) has its own provisions, related to the financial industry.
  • The Internal Revenue Service (IRS) applies to every type of business in any location of the United States.
  • The Children’s Online Privacy Protection Act (COPPA) is another act that applies to all businesses in the United States.
  • The EU’s General Data Protection Regulation (GDPR) applies to any company that does business with a resident of one of the 28 EU’s 28 member states.

This step alone is why it is essential to make sure your data retention policy development team includes a legal expert and your accounting team to thoroughly research any relevant laws, policies and regulations germane to your industry and location.

3. Define the Data to Be Included in Your Data Retention Policy

Regardless of your industry or location, there are some general types of data that you must include within your data retention policy, including:

  • Documents
  • Emails and other electronic documents
  • Customer records
  • Transactional information
  • Spreadsheets
  • Contracts
  • Spreadsheets
  • Correspondence between staff and clients, agents, vendors, shareholders and the public
  • Supplier and partner data
  • Employee records
  • Customer records
  • Sales, invoice and billing information
  • Tax and accounting documentation
  • Financial reports
  • Healthcare and patient data
  • Student and educational data
  • Any other data produced, collected and maintained in the fulfillment of regular business activities

4. Compose Your Data Retention Policy

Once you have determined what happens to old data that you can remove or archive, it is time to formally write your policy. Some of the sections that each data retention policy must include are the:

  • Purpose
  • Applicable Laws, Regulations, Policies, Rules and Acts
  • Record Retention and Deletion Schedule
  • Litigation Plan
  • Review and Update Schedule

5. Make Sure All Employees Are Aware of—and Fully Understand—the Company’s Data Retention Policy

Beta News reported the results of a Harris Poll that indicated that 63% of employees do not believe that their companies have policies regarding email retention. Further, if the employees did know that the company had data retention policies, they weren’t aware of what they were. You do not want this scenario for your organization.

You definitely want to keep your employees in the loop when it comes to data retention. You may find it helpful to invite a few employee ambassadors to join occasional data retention policy meetings while you and the rest of the team develop the policy so they can gain a deeper understanding for the reasons for various aspects of the policy.

You never want to leave your vital organizational data to chance at any level, so provide employees with a copy of your data retention policy, once completed. You may also conduct regular training and review sessions to keep everyone up-to-date.

Have You Written Your Company’s Data Retention Policy Yet?

If you are ready to start drafting your data retention policy and you need a little more insight, beyond these five steps, our team at I.S. Partners, LLC. has the expertise and experience to give you an initial boost or will work with you from start to finish.

Call us at (215) 675-1400, launch a chat session, send a message or request a quote today!

Get a Quote Try our Compliance Checker

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal