January 10, 2022 by Bojana Krstic

Data Retention Policy 101 (with Examples)

Data is one of the most precious resources in the world today, and yet, according to Forrester Research, only 10% of enterprises use data to generate advanced insights.

Today, we explore why data is so vital for an organization, how it can add value, what risks are associated with mishandling data and how to retain it properly using a data retention policy.

For starters, data can assist organizations to pinpoint and act on problems faster and more efficiently. It allows decision-makers to visualize relationships between different departments, systems and locations.

Data is also a valuable asset because it’s highly reusable – generated once, data can be used for visual presentations, business analysis, market research, marketing purposes, compliance etc. As a result, data has become a valuable commodity for businesses of all sizes, as well as a target for hackers.

Given the vast volume of data collected by organizations and the number of rules and regulations in place to protect that data, your company must implement strong data retention policies.

Another important point to make here is that data ages – if left too late, the information becomes too dated to be valuable and can create confusion and cause false interpretations.

That’s why having your corporate data in a state, format and repository that allows easy access, assessment and use, while also allowing reorganization and deletion is the best approach.

This brings us to data retention, or more precisely, how to design a data retention policy.

Why Do You Need Data Retention?

Data retention, also known as record retention, is the practice of retaining and maintaining data, including electronic records for a specific amount of time.

There are a variety of reasons why a company would need to save data:

  • to comply with local, state, and federal laws,
  • to adhere to industry standards,
  • to keep correct financial records,
  • to guarantee that data is readily available for ediscovery and litigation support,
  • for business continuity and organizational purposes

Every corporation must establish and execute data retention policies to meet these and other business objectives.

What Are the Elements of Data Retention Policy?

A data retention policy, also known as a record retention policy, is a company’s stated process for retaining, storing and disposing of data.

In most cases, a data retention policy will state:

  • What data should be kept?
  • What format should it be stored in?
  • For how long should it be retained?
  • Whether it should be archived or destroyed in the future
  • Who has the authority to destroy it?
  • What steps should be taken in the case of a policy violation?

A data retention policy’s primary goal is to ensure effective data management in line with applicable laws and regulations. Also, it’s a great way to boost productivity and streamline processes inside your company.

What Is the Data Retention Period?

The duration of time that an organization keeps data is referred to as the data retention period. Retention periods can be different depending on the types of data and on the industry the organization operates in.

Data should only be maintained for as long as it is useful. However, various laws and regulations have particular data retention time requirements, so it’s crucial to do your homework before deciding on a retention period for a data retention policy.

How to Ensure Compliance with a Data Retention Policy?

Despite the obvious operational benefits of enacting data retention policies, many companies do so to avoid violating local, state, and federal laws as well as industry requirements.

Many laws and regulations include precise wording about records management, such as what data must be preserved and for how long. Failure to follow these guidelines might result in financial, civil, or even criminal repercussions for your company.

Let’s take a look at a few laws and regulations that have particular data retention policy requirements to give you a better idea of the function data retention plays in compliance:

  • GDPR — Data must be kept in a form that allows identification of data subjects for no longer than is required for the purposes for which the personal data are processed.
  • Health Insurance Portability and Accountability Act (HIPAA) — Although the HIPAA does not contain any uniform criteria for the keeping of medical data (they vary by state), it does include explicit wording about the retention of HIPAA-related documents.
    HIPAA records include, but are not limited to, the following:

    • Privacy Practices Notice
    • Authorizations from patients
    • Discipline procedures for employees
    • Documentation of the incident and breach notification
    • Maintenance records for physical security
    • Logs of access
  • The Fair Labor Standards Act (FLSA) — Businesses must keep records for at least three years. Time cards, work schedules, and recordings of changes in wages must be retained for two years in order to compute compensation. All records must be easily accessible to Department of Labor agents for examination.
  • Sarbanes-Oxley Act (SOX) — Accountants who conduct audits “shall retain all audit or review relevant data for five years from the end of the fiscal period in which the audit or review was concluded”. Relevant data include memoranda, letters, communications, electronic records, and other documents generated, sent, or received in conjunction with an audit or review. Any public business that violates SOX’s data retention standards faces penalties, jail, or both.

Check out our blog post on email retention legislation for much more instances of legal and regulatory record retention policy requirements.

Data Retention Policy – Rules and Best Practices to Follow

There is no one-size-fits-all approach to data retention. Regulations may vary based on the size of your company, the industry you operate in, and the type of data you handle.

However, there are a few best practices to follow when drafting a data retention policy:

  • First and foremost, do the research. Before you begin, make sure you take into consideration and understand any applicable legislation and the exact legal requirements.
  • Determine what your company’s requirements are. Although legal obligations take precedence, the data retention policy you create should be tailored to expedite business-critical operations and increase productivity.
  • Make developing a data retention policy a collaborative process. You’ll need participation from a variety of people, including your in-house legal counsel, finance department, accounting team, and other departmental managers and supervisors, to design a record retention policy that is comprehensive and reflects the interests of your whole business.
  • Don’t make things too difficult for yourself — keep it simple. When writing the retention policy, use clear language and basic words. This will both make the policy easier to understand by employees and enhance the probability of the policy being followed. Also, keep in mind that you may always start small and make adjustments as needed.
  • Create distinct policies for various sorts of data. Not all data must be kept for the same amount of time; the amount of time depends on the business necessity as well as any applicable regulatory or legal requirements.
  • Be open and honest. Inform your customers, subscribers, and users about the data you plan to keep, how it will be stored, and how it will be utilized. Give them as much control as possible over how their data is utilized.
  • Invest in a backup and archiving system. You may design individual record retention policies and automate the data archiving process using email, social networking, and text/SMS message archiving services, saving you time and effort. Look for a system that allows you to arrange data according to your company needs, has powerful search capabilities, and has built-in security safeguards.
  • Perform regular data backups. Not only will this shield you from legal liability, but it will also decrease or eliminate the risk of data loss in the case of an outage or unplanned downtime.
  • Don’t keep data for any longer than is required. Although operating with extreme care and retaining data indefinitely may appear to be best practice, doing so exposes your company to risk. Excess data not only eats up storage space and slows down systems, but it also makes you more exposed to a data breach or security issue. However, because deletion is irreversible, you’ll want to think carefully about which data to save and which to discard.

How to Create a Data Retention Policy

Though the process for developing a record retention policy may differ based on the sort of data you collect and applicable rules and regulations, it will most likely look like this:

  • First, assemble a team to draft your data retention policy.
  • Next, sort data into policy categories; it might be necessary to create different data retention policies and removal schedules for different categories.
  • Determine which rules and regulations apply to your company depending on data kind, location, industry, and other relevant factors.
  • For every record retention policy you create:
    • Choose which data will be archived (and for how long) and which will be removed.
    • Determine who will be in charge of each item category.
    • Create a strategy for enforcing the policy, then implement it.
    • Inform all impacted employees and teams about the policy.
  • Create your policy.
  • Finally, each policy should be updated on a regular basis, and any changes should be communicated to your staff.

Data Retention Policy Examples

If you’re still not sure where to start, take a look at these examples of retention policies from well-known companies:

Ensure Proper Data Retention with Jatheon

Jatheon’s cutting-edge archiving solutions, from email and social media archiving to text/SMS records archiving, allow you to define specific data preservation policies to maintain regulatory compliance with all major retention and data privacy laws.

By classifying and tagging records, you’ll be able to specify different retention windows and set automation deletion of records to limit liability after the retention periods expire.

Jatheon Cloud Retention Tags Creation

It’s simple to understand why Jatheon is the archiving solution of choice for enterprises across many industries, with strong search capabilities, role-based permissions and user authentication, a rich ediscovery and litigation feature set.

Learn more about Jatheon’s capabilities by requesting a free demo or speaking with one of our archiving experts now.


Does GDPR have a data retention policy?

The GDPR doesn’t have a set timeframe for how long data needs to be kept for. Organizations need to determine their own data retention timeframe, but the GDPR requires them to clearly outline the data retention period before the data is collected.

What is the minimum number of retention policies?

The minimum number of retention policies an organization needs to have is one, establishing a uniform timeframe for data retention across the whole organization. You can have multiple retention policies for different types of data being collected, branches of the organization, or legal mandates which offers a lot of flexibility when it comes to complying with law while optimizing resource storage. Having no retention policy usually means that data is retained indefinitely which may not align with privacy regulations.

What is the most common backup retention policy?

One of the most common backup retention policies is the Grandfather-Father-Son (GFS) method. It involves retaining multiple backup copies for different retention periods. These periods include daily (Son), weekly (Father), and monthly (Grandfather). This method gives organizations the flexibility of quickly storing data, archiving it for longer periods, and quickly recovering it. The other most commonly used method is the “3-2-1 method” meaning “maintain 3 copies, store copies on 2 different types of storage media, keep 1 copy on an off-site location.”

What are some common data retention policy issues?

Data retention bolsters many challenges like regulating your policy to different legal regulations, setting a data retention schedule that will prevent data over-retention and under-retention, keeping your retention policy flexible for different types of data and their egal reason, updating your policies with the advancements in technology, and creating a policy that is optimized with your organizations budget.


Read Next:

The Best Overview of the GDPR You’ll Ever Read

The 2022 Quick Guide to SOX Compliance and Email Archiving

Email Retention Policy Best Practices for 2022

About the Author
Bojana Krstic
Bojana Krstic is the Head of Content and SEO at Jatheon and an experienced writer on topics like data archiving, ediscovery, and compliance. When AFK, you’ll find her hiking, discovering new music, or road-tripping.

See how data archiving can simplify compliance and ediscovery for your organization

Book a short demo to see all the key features in action and get more information.

Get a Demo

Share via
Copy link
Powered by Social Snap