What is a Data Retention Policy? (And 3 Quick Steps to Create One)


Insights for ProfessionalsThe latest thought leadership for Management pros

Thursday, August 20, 2020

Since the introduction of GDPR, data protection policies have become an essential aspect of doing business around the world. Here’s how to easily create one.

Article 4 Minutes
What is a Data Retention Policy? (And 3 Quick Steps to Create One)

Any business dealing with the EU needs to comply with the General Data Protection Regulation (GDPR), which details the steps you must take to safeguard and secure customer data. Since then, the business landscape has completely changed to match this standard.

Even companies with no interest in dealing with the EU have been impacted by similar laws, like the California Consumer Privacy Act (CCPA), that have sprung up in GDPR’s wake. GDPR alone has affected companies around the world, with large US firms collectively spending $7.8 billion preparing for it, compared to just $1.1 billion spent by large UK companies.

So, what does this mean for companies? It means that a necessity of modern business is the data retention policy. Even firms not affected by GDPR or similar legislation can benefit from one, as it’ll protect against data breaches that can be costly and dangerous for customers.

What is a data retention policy?

According to Harper James Solicitors, a data retention policy “specifies how you manage the data you hold”. The aim is to avoid a situation where a company is hanging on to years - or even decades - worth of consumer records for no reason, simply because the cost of holding that data is close to zero.

While GDPR has certainly been portrayed as incredibly strict, many organizations see it as fairly lenient. For example, a business doesn’t have to abide by any set timeframes or deadlines for retaining data: it can be held indefinitely as long as the organization can justify doing so.

That means a data retention policy needs to set out:

  • Details of what data will be kept
  • Criteria for keeping it
  • Duration before it will be dealt with
  • Individuals responsible for every stage in the process and each category of data

While compliance with regulations is an important reason to put a data retention policy in place, many organizations find there are benefits of being more stringent than necessary. Mark Keppler, senior director of information security at IS Partners, emphasizes that a data retention policy allows businesses to create and save more storage space, as well as remove outdated and duplicated data that makes it harder to find relevant information.

Understanding what data is held

To create an effective data retention policy, the first step is to identify what personal data you’re currently holding. This can require an extensive audit. The exact definition of personal data will vary depending on the regulations a business is attempting to comply with, but in general it’ll include anything that can identify an individual.

This is more complicated than it might seem because it all depends on context. A name doesn’t necessarily count on its own; plenty of individuals can share the same name. However, if it’s combined with an address, telephone number, email address or even something as simple as their job title or the organization they work for, it’ll be more likely it can be used to identify them.

Determining which regulations apply

Every organization will be subject to different standards and regulations, depending on its industry, its location, the type of business it conducts and more. Writing an effective data retention policy means understanding which regulations apply, and combining them to understand how data needs to be treated.

For example, in addition to GDPR, businesses that process payments need to abide by the Payment Card Industry Data Security Standard (PCI DSS), while US government agencies must abide by the Freedom of Information Act. Cross-referencing these regulations is the only way to ensure a data retention policy is fully compliant.

Writing an effective data retention policy

To create a useful data retention policy, it’s essential to involve a team consisting of those members of an organization that’ll be affected. Anyone dealing with data might have an important perspective on what information can safely be deleted and what needs to be retained.

Several decisions then need to be made. How long will each tranche of data be stored for? What will happen once that retention period is up? Most organizations choose between deleting the data or anonymizing it, which entails ensuring details can’t be tied to an individual. For example, this can involve storing a name and email address separately with no way to match one to the other.

Finally, the most important aspect of an effective data retention policy is making sure all staff members are aware of it. Training is crucial to ensure everyone abides by the rules set out in the policy, thus ensuring the business remains compliant.

Insights for Professionals

The latest thought leadership for Management pros

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...