PCI DSS 4.0 - Are You Ready? Get a Discount on a Readiness Assessment - Learn More
data retention policy
Author Picture
Listen to: "Top Mistakes to Avoid When Creating a Data Retention Policy  "

One of the things we must learn from Samsung’s $1 billion mistake is that you cannot take data retention policies lightly. Having a good data retention policy that considers legal and regulatory compliance and your business objectives is crucial. However, the process of developing the policy can seem complex, and you would certainly want to avoid common mistakes! 

This article will cover the common mistakes to avoid and the best practices to follow when creating a good data retention policy.  

What is a data retention policy? 

An organization’s data retention policy defines how long data should be stored and managed and how to dispose of it when it is no longer needed. Typically, a data retention policy should include the following: 

  • which data needs to be retained 
  • how the data should be stored 
  • how long to store the data 
  • who should authorize data disposal 
  • method of data disposal (archival or deletion) 

Data retention policies are essential for meeting several legal and regulatory compliance requirements.  

Why Do You Need a Data Retention Policy? 

  1. Liability Protection – A data retention policy is a key step in managing and protecting an organization’s important data to avoid any civil, criminal and financial penalties that sometimes result from poor data management practices. 
  2. Regulatory Compliance – Local, state, federal and international policies, rules, statutes and laws, as well as industry-imposed regulations, specify the types of data that businesses must retain. Additionally, these bodies set the length of time that specific types of data must be retained and maintained, along with the way in which that data is stored. 
  3. Keep Retained Data Updated – Going through your data retention policy on a regular basis gives you the opportunity to clean house and remove duplicated and outdated files to avoid confusion and expedite any necessary searches. 
  4. Save on Storage Space – If you store your own data, you can always use the extra storage space to make room for new files. Alternatively, if you have moved your data to a cloud storage provider, you can help keep costs lower by cleaning up your data before migration or while already in cloud storage if you discover duplicates. 

What to avoid when developing a data retention policy? 

Starting with a suitable data retention policy will help you avoid policy violations and the legal and regulatory issues and penalties that come with the violations. Below are some of the mistakes you must avoid. 

Creating a complex data retention policy 

Policy documents are notoriously cryptic and long. Such a document will just serve the purpose of checking a box. It would be best if you had a policy that all stakeholders can actually refer to and use. A usable policy will be precise and in a language that everyone understands.  

Not aligning with the changing regulatory landscape 

There is a torrent of regulatory changes globally as data privacy, risks, business processes, etc., change. Your data retention policy must be on top of the updated regulations will result in a weak policy that will not safeguard your business.  

Creating a policy that is too stringent  

A very strict policy will be prone to violations. A policy should definitely consider the regulatory environment. But, it should also be customized according to the organizational culture and specific requirements so that it can be reasonably enforced throughout the organization.  

Not defining the procedure to follow in case of a policy violation 

Creating a data retention policy aims to ensure that data is treated according to the defined procedures. But it should also outline the steps to be taken if there is a policy violation. 

Not defining objectives and responsibilities 

A data policy that is disconnected from the internal teams will not be effective. It must define data retention objectives and the responsibilities of all stakeholders involved to enforce or uphold the policy.   

Not clearly defining the procedure to dispose of data 

Disposing of data that is no longer needed is as important as managing the data stored in your systems. A data retention policy should clearly define how the data is to be destroyed. Digital data can often lie forgotten on servers and in databases. So the policy should mention how each type of data should be destroyed to ensure that it does not leave any traces behind.  

What are the best practices in creating a data retention policy? 

Below are some best practices you should follow while creating a practical data retention policy. 

Carry out diligent groundwork before creating the policy.

You need to understand the legal and regulatory requirements, legal obligations, business context, and organizational culture to define the objectives of the data retention policy. A few regulatory bodies and acts that determine certain data retention durations and the conditions of data removal include: 

  • The Health Insurance Portability and Accountability Act (HIPAA) is related to the healthcare industry and applies to healthcare organizations and any business that works with those organizations. 
  • The Sarbanes-Oxley Act (SOX) has its own provisions, related to the financial industry. 
  • The Internal Revenue Service (IRS) applies to every type of business in any location of the United States. 
  • The Children’s Online Privacy Protection Act (COPPA) is another act that applies to all businesses in the United States. 
  • The EU’s General Data Protection Regulation (GDPR) applies to any company that does business with a resident of one of the 28 EU’s 28 member states. 

This step alone is why it is essential to make sure your data retention policy development team includes a legal expert and your accounting team to thoroughly research any relevant laws, policies and regulations germane to your industry and location. 

Involve the right people in policy creation.

Since enforcing the data retention policy requires participation from all stakeholders, it makes sense to involve them during the policy creation stage. Also, taking inputs from multiple important sources, such as the legal counsel, accounting & finance teams, department heads, etc., will help you create a comprehensive data retention policy. Not only do you want to include your legal team and accounting professionals, but you also want to make sure you include diverse voices within your company who may also hold a stake in the various data in your system. While your instinct may default to “delete,” your accounting manager may hold valid—if not critically important—reasons for retaining certain records. 

Key team members to add to your data retention policy development team include: 

  • Staff members responsible for data retention settings 
  • In-house legal counsel 
  • Departmental managers and supervisors 
  • Anyone who receives and manages financial reports 
  • Anyone who 

Take into account multiple departments or different types of data. 

If you have multiple departments in your organization, your data retention policy should consider all departments while defining a data retention schedule. The same goes for multiple types of data. It might not be possible to have the same data retention schedule for all data across all departments. Here, it might be helpful to create different policies for different departments or for different types of data.  

Define the data covered by the policy. 

Regardless of your industry or location, there are some general types of data that you must include within your data retention policy, including: 

  • Documents 
  • Emails and other electronic documents 
  • Customer records 
  • Transactional information 
  • Spreadsheets 
  • Contracts 
  • Spreadsheets 
  • Correspondence between staff and clients, agents, vendors, shareholders and the public 
  • Supplier and partner data 
  • Employee records 
  • Customer records 
  • Sales, invoice and billing information 
  • Tax and accounting documentation 
  • Financial reports 
  • Healthcare and patient data 
  • Student and educational data 
  • Any other data produced, collected and maintained in the fulfillment of regular business activities 

Avoid holding on to data longer than required. 

In order to avoid deleting crucial data, it might be tempting to hold on to the data. But having too much data will slow down your systems. Also, the more data you have, the more your risk of a data breach will be. 

Make the data retention policy transparent.

Stakeholders such as customers and subscribers should be informed of your data retention policy when they choose to share their information with you. Where possible, they should also have some control over how their data is stored and retained. 

Enure all employees understand the company’s data retention policy. 

Beta News reported the results of a Harris Poll that indicated that 63% of employees do not believe that their companies have policies regarding email retention. Further, if the employees did know that the company had data retention policies, they weren’t aware of what they were. You do not want this scenario for your organization. 

You definitely want to keep your employees in the loop when it comes to data retention. You may find it helpful to invite a few employee ambassadors to join occasional data retention policy meetings while you and the rest of the team develop the policy so they can gain a deeper understanding for the reasons for various aspects of the policy. 

You never want to leave your vital organizational data to chance at any level, so provide employees with a copy of your data retention policy, once completed. You may also conduct regular training and review sessions to keep everyone up to date. 

Have You Written Your Company’s Data Retention Policy Yet? 

A good data retention policy is an important part of an organization’s information management system. In order to keep your policy usable and updated, you should regularly audit your data retention policy. A good policy will ensure that you save on storage costs and have efficient and fast systems. 

If you are ready to start drafting your data retention policy and you need a little more insight, beyond these five steps, our team at I.S. Partners, LLC. has the expertise and experience to give you an initial boost or will work with you from start to finish. 

Call us at (215) 675-1400 or request a quote today! 

Get a Quote Try our Compliance Checker

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal