Back to Glossary Home | Data Retention Policy
Data Retention Policy
What is a Data Retention Policy?
Data retention is the practice of archiving, storing, or retaining data, either to comply with external auditability and data privacy regulations, or to support internal business operations like data analytics, cybersecurity threat hunting, or auditing.
A data retention policy is a document that establishes an organization’s requirements and protocols for storing, retaining, and eventually disposing of enterprise data. The purpose of a data retention policy is to:
- Document the organization’s legal/regulatory and operational data retention requirements,
- Establish clear guidelines for storing and retaining data in a way that meets those requirements, and
- Ensure that the appropriate people, processes, and technologies are in place to consistently and cost-effectively deliver on compliance and operational objectives that depend on data retention.
What Should a Data Retention Policy Include?
No two data retention policies are exactly the same, and the specific contents of any data retention policy will vary depending on the nature of the organization and its IT operations, the industry in which the organization operates, and the specific regulatory requirements that apply.
Still, in virtually all cases, a data retention policy should provide clarity around the most important aspects of enterprise data storage and retention. This includes addressing questions like:
- What data is being generated and collected by our organization? Which departments, roles, or individuals own that data? Who has control of the data?
- What legal or regulatory requirements do we have to retain, preserve, or delete certain types of data?
- What business operational requirements do we have to retain, preserve, or delete certain types of data?
- What would be the anticipated business impact if experienced a data loss event or simply failed to retain data in compliance with regulatory demands and/or our operational needs?
- How long should specific data be retained? Where and how should the data be stored? What is the procedure for archiving data? When should the data be deleted?
- Who should be able to access the data? How will we control data access to preserve data security and integrity while satisfying our operational and compliance objectives?
- How frequently should data back-ups take place? What level of data loss would be unacceptable in the event of a device failure or service outage that impacts data storage infrastructure? What frequency of back-ups or failover capabilities are needed to prevent unacceptable data loss?
- How will we document or record data retention activities?
- Who is responsible for implementing the policy or managing data retention in compliance with the policy?
- How will the data retention policy be enforced? How will we know that the data retention policy is being followed?
- How will the data retention policy be updated as the business generates new types of data or is impacted by new legal/regulatory requirements?
Why You Need a Data Retention Policy
Ensuring Regulatory Compliance
Depending on your industry, your business may be required to comply with data security and privacy regulations to retain commercial privileges or operate in certain jurisdictions. Data security and privacy regulations often require businesses to do things like:
- Store data in a certain way with adequate security measures,
- Retain certain types of data for prescribed periods of time, usually to enable regulatory audits, and
- Delete or expire certain types of data at certain times to protect sensitive customer information.
Establishing a data retention policy helps organize resources within your business to comply with data privacy regulations in your industry.
Enabling Business Operations
In our data-driven world, organizations leverage data for a huge variety of operational use cases.
Whether you’re a healthcare business using patient data to improve treatment outcomes or a retail business using sales data to optimize your supply chains, establishing a data retention policy helps ensure that data is stored in an appropriate and cost-effective location, that it’s available when you need it, and that it’s adequately protected in case of a service outage or device failure.
Enabling Business Continuity and Disaster Recovery
Both compliance and operational objectives can be put into jeopardy if an unplanned service outage or device failure at your business causes unacceptable data loss. Establishing a data retention policy helps you identify mission-critical data within your organization, set appropriate Recovery Time and Recovery Point Objectives (RPOs), and implement the necessary back-up and failover systems to prevent unacceptable data loss.
Minimizing Data Retention Costs
Part of establishing your data retention policy is determining when data should be transitioned from “hot” storage (most accessible, higher cost) into “cold” storage (less accessible, lower cost), how long it should be saved for, and when it should be deleted or expired from systems. An effective implementation helps reduce your data storage costs while ensuring your most critical data remains accessible as needed.
How to Create a Data Retention Policy
Document Legal and Business Requirements for Data Retention
The first step you should take when establishing a data retention plan is to identify any data security/privacy regulations that apply to your business. Common examples include the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the European General Data Protection Regulations (EU GDPR).
Next, you should look at how your business uses data to support internal operational processes. At this stage, it’s vital to look across departments and think about what types of data each area of the business needs to achieve their goals. The key questions are:
- What data is being used?
- Who is using the data?
- How is the data being used?
- What access controls, availability, etc. are needed to support these applications?
Clearly defining your legal obligations and operational requirements with respect to data retention will help you organize a data retention plan that supports these critical objectives.
Inventory and Categorize Data
The next step you’ll want to take when creating a data retention policy is to conduct a thorough inventory of data generated and collected by your business.
This includes all data from all departments and systems: sales data, marketing data, product usage data, customer and employee data, inventory data, transactional data, data from security and application logs, and the rest of it.
Once you have a complete inventory of your data, you’ll want to sort the data into categories. You may want to categorize your data based on which department it came from, or which legal/regulatory or operational requirements apply to the data. When finished, you should be able to answer questions like:
- What are all of the data sources within our organization?
- What types of data are we collecting?
- Which types of data are covered by relevant legal/regulatory frameworks?
- Which types of data are needed to support business operations?
Identify Key Data Owners
As you create your data inventory in the previous step, it’s also important to start identifying key data owners within your organization.
Of course the business itself is the literal “owner” of the data - the data owners we’re talking about here are the departments, teams, or leaders who collect, use, and manage each type of data. Marketing data is usually controlled by leaders inside the marketing department, sales data is typically collected and used by sales managers, and data from cloud applications or services is usually controlled by IT.
Once you’ve identified the key data owners within your organization, you can work with those stakeholders to better understand their data needs - plus, you’ll know exactly who to contact when you need access.
Conduct a Business Impact Analysis
As you develop your data retention policy, it’s a great idea to conduct a Business Impact Analysis (BIA).
The purpose of a BIA is to identify your organization’s most critical business activities, understand the potential impact of disruption to those activities, determine which data and resources are needed to support those activities, and establish both recovery time and recovery point objectives to ensure those data and resources remain available or can be recovered quickly in the event of a service outage.
Establish Data Retention Policies
At this point, you should know what data you have, who owns it, where the data is stored, and which data is essential for both legal/regulatory and operational purposes. As part of your BIA, you should have established recovery time and point targets for each type of data and analyzed the potential consequences of data loss/theft.
At this point, you should be ready to establish data retention policies. For each type of data you collect, you’ll want to document:
- Where the data will be stored,
- How long the data should be retained,
- What should happen to the data after the retention period (e.g. delete or archive)
Be sure to retain each type of data long enough to satisfy the legal and operational requirements identified earlier.
Establish Data Disposal Procedures
Many enterprises retain certain types of data for up to seven years, while other types of data may be retained for just a few days or weeks. Either way, it’s important to implement formalized procedures for deleting or archiving data following the planned retention period.
In many cases, the process of deleting or archiving old data can be automated using specialized software tools or cloud services.
Establish a Disaster Recovery Plan
Even with the right data retention policies and procedures in place, there’s still the potential for a service outage or device failure to cause data loss that negatively impacts your legal compliance and/or operational objectives.
To avoid unacceptable negative consequences of data loss, you’ll need to establish and implement a disaster recovery plan that can deliver on RTO and RPO targets for your most critical data. Some enterprises manage their own disaster recovery needs, while others depend on Backup-as-a-Service (BaaS) or Disaster Recovery-as-a-Service (DRaaS) services from MSPs like TierPoint.
Establish Data Access Policies
Organizations that collect sensitive personal data from their customers may be required by law to ensure that this information can only be accessed by authorized persons for a clear and defined purpose. When this is the case, your data retention policy should establish guidelines for controlling access to any data covered by such regulations.
Assign Roles and Responsibilities
Individual accountability is necessary to ensure that data retention policies will be followed. Your data retention policy should define the key roles and responsibilities for employees involved in data retention management, including IT personnel, department leaders, data owners, legal teams, and compliance officers.
Create a Process for Reviewing Your Data Retention Policy
Finally, it’s always a good idea to create a process for regularly reviewing your data retention policy and updating it as needed. As your business grows, it’s likely that you’ll adopt more applications with services, launch new products, and connect with more customers - and all of that means potentially new types of data that should be covered in your data retention policy.
We recommend regularly reviewing your data retention policy, looking at data inventory to identify new sources of data within the organization, and updating your data retention guidelines and disaster recovery planning to cover the new data.
5 Data Retention Policy Best Practices You Should Know
Automate Data Retention with Cloud Object Storage
If you’re storing your data in public cloud storage like Google Cloud Storage or Amazon S3, you can configure rules to automate the process of deleting or archiving data. You can also set up data access controls to restrict who can access your most sensitive data. Additionally, you can back-up or replicate data from your cloud object storage to enable cloud disaster recovery.
These features help protect against data loss while reducing the overall cost of your data retention initiatives.
Consider Data Encryption and Pseudonymization
If you plan to store sensitive customer data for long periods of time, consider implementing data encryption or pseudonymization. These measures make it more difficult for hackers to use the data for malicious purposes in case of a data breach.
Balance Data Retention and Storage Costs
Storing and retaining data costs money, so there’s always a trade-off between retaining more of your data and keeping your data storage costs down.
To minimize data storage costs, it’s important to retain only the data you need and only for as long as you need it. Storing data that won’t be used, especially for long periods of time, increases your data storage costs for no benefit and should be avoided.
Make Your Data Retention Policy Accessible
Once you’ve completed your data retention policy, make that policy easy to access for everyone in your organization. Ensure that data owners have read the policy and understand how it applies to them. Offer training on your data retention policy for everyone involved in implementing and managing it.
Conduct Regular Disaster Recovery Testing
Before you experience a genuine device failure that could potentially result in data loss, it’s important to verify that your disaster recovery plan can actually deliver on your RTO and RPO targets. Disaster recovery testing simulates a real device failure to verify that your failover and data replication systems can consistently meet targets for restoring operations and avoiding unacceptable data loss in case of a service outage.
Address Regulatory Requirements with TierPoint’s Proactive Security Solutions
TierPoint offers Proactive Security Solutions, including IT disaster recovery, security services, and data center services, to help our customers manage data retention and ensure compliance with data privacy and security regulations.
TierPoint’s data center compliance certifications include ISO 27001, SOC 1 Type II & SOC 2 Type II, HIPAA, PCI DSS v3.2.1, NIST SP 800-53, and more.
Ready to Learn More?
Book an intro call with us and see how TierPoint can help you develop and implement a data retention policy to meet your legal and operational requirements.
