Creating the Best Data Retention Policy:

Businesses of all sizes and industries benefit from a comprehensive data retention policy. Dealing with cloud-based apps and industry guidelines and laws can make deciding what data needs to be stored a difficult process. However, there are certain factors to consider that will help any business have a solid starting point.

First, it is important to understand what is a data retention policy. This policy helps a business determine the purpose of its data, if any laws apply to it, how long it should be kept, and how it should be archived or deleted. An effective data retention policy helps a business stay compliant with laws and regulations while cutting out inefficiencies and extracting business value from the data. A business must also understand that a sustainable data retention policy should be flexible so it can grow and chance as a business’ inventory and needs change.

Identify Where the Data Lives & Classify It

First, a business must identify where their data lives. It is imperative to make a comprehensive list of every application and data system the business uses whether it is in the cloud or on-premise. After the locations are identified, the data should be sorted starting with what is most pertinent to the business and the industry. Organizing the data this way helps highlight the most sensitive information and any retention periods that are applicable by law.

Understand Which Laws Apply to the Business & Data

The best way to understand which laws apply is by consulting the business’ legal and compliance teams. Both teams must work together closely in order to understand which laws and regulations apply first and foremost. It’s not uncommon to have more than one regulation apply to the business in a conflicting manner. If any conflicts are determined, it is important to document them and create a plan on the best way to handle them.

Align the Data Retention Policy with the Compliance Policy

Having a data retention policy that aligns with the current compliance policy not only helps with audits, but it also works to prevent risky or illegal internal activities. For example, if it is against the business’ compliance policy to share sensitive customer information, the retention policy should reflect where that sensitive information lives, how long it should live there, and how to retrieve it. 

Learn the Ins & Outs of the Data Sources

A business must understand and know the applications that are holding its data. Realistic retention goals cannot be set unless every applications’ purpose, capabilities, and limitations are understood. Speaking with the employees and vendors that handle these applications every day is a great way to learn about them.

Outline When or How Data Should be Archived or Deleted

Legal obligations are the first place to start when deciding when or how data should be archived or deleted. After legal obligations are met, figure out if there is a downside to deleting certain data, if there are the benefits, or if it is data that can be archived. After a timeframe is established, the next step is to decide how data will be deleted or archived. Do the applications used automatically delete data? Will deletion need to be performed manually? If dat is archived, where will it be stored? How long should it stay archived?

Monitor the Policy Regularly

After a data retention policy is completed, it is vital that the policy is maintained. Maintenance includes reviewing for current application updates, adding details if new applications are introduced, confirming any new legal obligations, etc. Yearly, if not more frequent, evaluations should be performed so the data retention policy is never out-dated. Creating the best data retention policy benefits all businesses despite size or industry. 


For more Tidbits & Thoughts, please click here.