Let’s say Joe bought a pair of jeans from your retail business 10 years ago and you added Joe’s information to your database. In the 10 years that followed, Joe might have moved between 20 states or maybe even moved to a different country. Those jeans probably don’t fit him the way they used to and in all likelihood, Joe probably doesn’t even have those jeans anymore. It’s safe to say, the information you collected on Joe has negligible value to your business compared to the risk of losing that data to hackers.

IT managers are faced with the question of what data to keep and what not to. Generally, the need to retain data is based on the type of data. However, this is subjective, based on your business needs.

To bring some sanity to your data management, IT departments should follow a written data retention policy and implement it across all enterprise systems.

A data retention policy graphic showing 3 file folders with hour glasses and a trash can.

What Is a Data Retention Policy?

A data retention policy clarifies what data should be stored or archived, where that should happen and for how long. Once a data set completes its retention period, it can be deleted or moved as historical data to secondary or tertiary storage, depending on business requirements.

Smart, streamlined data retention policies offer great benefits (or at the least help you avoid great losses).

Be compliant

A data retention policy enables businesses to manage their compliance with industry guidelines and regulations. This avoids expensive civil, criminal or financial penalties stemming from non-compliance.

Discard outdated and duplicated data

Consistently browsing through your data retention policy creates an opportunity to remove duplicated and outdated data, making it easier to find relevant information.

Make room for more storage space

With a data retention policy in place, your business does not need to retain data longer than needed. This frees up your storage space to make room for new data. The entire process lowers storage costs and increases speed.

Data Retention Best Practices

A good data retention policy needs to clearly define its purpose, address concerns and clarify its scope. The tricky part is that it varies for different businesses based on their specific needs. Following these best practices will help you create a data retention policy that is uniquely yours.

1: Classify your data

Not all created data is equal, which is why not all data has the same retention periods. Start by identifying what data your organization stores and then classify the data to determine which data needs to be archived and for how long.

Ask yourself these questions:

  • Is the data critical?
  • Is this data a permanent document?
  • Is the data proprietary intellectual property?
  • Does the data serve the current needs of the business?

If the answers are ‘no’ for all the questions, then that data is fit for deletion.

As you are classifying data, ensure your data retention policies align with compliance and legal restrictions. You may also have to consider pre-existing contractual needs that will shape data retention schedules.

Understand your compliance verticals, whether it’s HIPAA, the Sarbanes-Oxley Act or GDPR. Know the law to determine what data must be kept and for how long. Likewise, keep data that you might need if legal action should arise:

The Health Insurance Portability and Accountability Act (HIPAA)
Industry: The healthcare industry. Also applies to healthcare organizations and any businesses that work with those organizations.
Retention Policy: Documents must be retained for a minimum of six years from when the document was created or, in the event of a policy, from when it was last in effect. Therefore, if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation.

Sarbanes-Oxley Act (SOX)
Industry: The finance industry.
Retention Policy: Any accountant who conducts an audit of an issuer of securities, to which section 10A(a) of the Securities Exchange Act of 1934 applies, shall maintain all audit or review work papers for five years from the end of the fiscal period in which the audit or review was concluded.

General Data Protection Regulation (GDPR)
Industry: Applies to any company that does business with a resident of one of the EU’s 28 member states.
Retention Policy: According to Article 5(e), data must be kept in a form that permits the identification of data subjects for no longer than is necessary, for the purposes for which the personal data is processed. GDPR permits organizations to store personal data for longer periods, insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance.

3: Delete data post the retention period

Obviously, right? Well, not really! Many businesses have second thoughts and hold on to data longer than required in hopes they might need it in the unforeseeable future. This approach poses a great risk since outdated data is prone to breaches, leading to legal penalties and loss of brand reputation.

The right way to go about this is to create a system that easily and swiftly searches data sets that have served their retention period and have them written off for good.

Backup Retention Policy

A common practice is to store a copy of the data in case the original gets lost due to accidental deletion or system failure. Modern businesses need to consider backup data as part of the overall data retention strategy — backup retention policy.

A backup retention policy includes the retention period of backup data, access and encryption while weighing legal and privacy concerns against economics and ‘need to know’ concerns.