The best data retention policy template to get you started
Editor’s note: This post was originally published in October 2020 and has been updated for accuracy and comprehensiveness.
They say more is better. And that’s true in many cases, but not when we’re talking about a stockpile of data that can hamper productivity and raise your organization’s risk profile.
Back in 2012, IDC calculated that information workers spent approximately 9.4 hours per week searching for and handling documents. Now, imagine how that number would look a decade later — especially considering that the average company uses a whopping 130 SaaS apps. More apps and more data creators and custodians have led to data becoming more scattered, disorganized, and harder to discover than ever before.
And a lack of organization isn’t the only problem with hoarding your organization’s data. The more data you have, the bigger target you are for cybercrime. In 2022, 83% of U.S. companies suffered more than one data breach, with the average global cost of a data breach sitting at a hefty $4.45 million. A growing patchwork of global, federal, and state laws governing data privacy and security means organizations face expensive penalties and reputational harm if their data falls into the wrong hands. Not to mention, more data causes the cost of identifying, collecting, reviewing, and producing data in litigation, due diligence, and regulatory investigations to skyrocket.
These costs and risks make it imperative for businesses to take control of their data, preserving data that adds value to the business and retaining records necessary for compliance, while filtering out the rest. The problem is, there isn’t an easy button for data retention. You can’t snap your fingers and sort your data into buckets to keep and purge. Instead, you’ll need to create a comprehensive data retention policy as part of your information governance program.
In this blog, we’ll walk you through data retention best practices and share a downloadable data retention policy template to help you get organized and gain better visibility into your data’s lifecycle.
What is a data retention policy?
Before you download the data retention policy template, let’s first cover what a data retention policy is. A data retention policy contains your organization’s central guidelines for handling its data. It helps you determine the purpose of your data, what laws (if any) apply to it, how long it should be kept, and how it should be archived or deleted when the time comes.
An effective data retention policy not only helps you stay compliant with laws and regulations but also helps you cut inefficiencies and extract business value from your most valuable asset: your data.
How to set up a sustainable data retention policy
Before filling out our data retention policy template, you’ll want to do some preliminary work. A robust data retention policy is a living, breathing document, which means setting up a sustainable foundation is key. When meeting legal requirements and understanding the retention and discovery capabilities of your apps, your retention policy should be flexible to an ever-changing and rapidly growing data inventory. By following these steps, your data retention policy will sustain your organization’s changes and growth for years to come.
1. Identify where your data lives and classify it
The first step in filling out a sustainable data retention policy template is to identify where your data lives. Make an exhaustive list of every app and data system in the cloud or on-premise that holds company data. Once you've done this, classify the types of data most pertinent to your organization. Organizing data that’s related to your industry is a good start. For example, if your company is in the healthcare sector, this might include personally identifiable information (PII) such as dates of birth, Social Security numbers, and protected health information (PHI). On the other hand, if you're in finance, you might need to sort your data into credit scores, PINs, and loan information.
Fortunately, you don’t have to comb through all of your data byte by byte to determine what to keep. AI-powered technology, including machine learning and natural language processing, can classify and categorize data based on its content, context, and sensitivity. AI tools can also recognize personal and otherwise sensitive information in your dataset. For example, AI can identify the patterns that form Social Security numbers, phone numbers, and more.
Organizing your data retention policy in this way will not only help you pinpoint your most sensitive information first, but it will also highlight the data retention periods that automatically apply to you by law. After you've identified your most sensitive data, it becomes easier (and less risky) to sort through the rest. We also recommend a data classification schema with categories such as "confidential," "proprietary," and "public."
2. Understand which laws apply to you
Before filling out the data retention policy template, consult your legal and compliance teams. Legal requirements take precedence over business needs, and understanding which laws and regulations apply to your organization comes first.
Sometimes more than one law or regulation will apply to your organization, creating conflicting data retention requirements. In such cases, you'll want to outline the instances that would create this conflict and document a plan of action to handle the conflict that you can share with a court or regulator if necessary.
Below are some laws and regulations to consider.
- Bank Secrecy Act (BSA) – Under the BSA, financial institutions must keep records for five years; the Consumer Identification Program (CIP) requires retention for five years from account closure or from the date information is received.
- California Consumer Privacy Act (CCPA) – The CCPA does not set forth a specific data retention period, but it does require organizations to hold onto PII in the event that its rightful owner asks for it to be disclosed. The CCPA has now been updated with the California Privacy Rights Act (CPRA), which requires businesses to disclose how long they keep each category of PII or, at a minimum, to disclose the criteria they use to determine retention periods. Companies must limit their data retention to only as long as is necessary to fulfill their purpose for collecting the data. In other words, they must implement a maximum retention period for consumers' personal data. (As of the date of this update, enforcement of the CPRA has been delayed until at least March 29, 2024.)
- Children’s Online Privacy Protection Rule (COPPA) – The COPPA allows businesses to only retain information on children under 13 as long as necessary to fulfill the business purpose for which it was collected. The information must be deleted using reasonable measures to protect against its unauthorized access or use.
- Equal Employment Opportunity (EEO) Act – The EEO Act requires that employers keep all personnel or employment records for one year. If an employee is involuntarily terminated, their personnel records must be retained for one year from the date of termination.
- Fair Labor Standards Act (FLSA) – Under the FLSA, employers must retain payroll records, collective bargaining agreements, and sales and purchase records for up to three years. Records used for wage computations should be retained for two years, including time cards, piece work tickets, wage rate tables, work and time schedules, and records of additions to or deductions from wages.
- General Data Protection Regulation (GDPR) – Article 5 explains that when EU citizens’ personal data is collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which data are processed.” Those purposes must be clearly explained at the time of collection.
- Gramm-Leach-Bliley Act (GBLA) – As of 2022, the GLBA requires financial institutions to securely dispose of customer information no later than two years after the last date that the information was used, unless retention is otherwise required or necessary for legitimate business purposes.
- Health Insurance Portability and Accountability Act (HIPAA) – There is no HIPAA retention period for medical records; however, businesses are required to keep HIPAA-related documents for a minimum of six years. In addition, each state has its own laws governing the retention of PHI, which vary.
- Occupational Safety and Health Act (OSH Act) – The OSH Act requires employers with more than 10 employees to keep an annual record of serious work-related injuries and illnesses for at least five years. Other retention periods vary depending on the type of record; for example, records of exposure to toxic substances must be kept for the duration of an employee’s employment plus 30 years, while records of noise exposure must only be kept for two years.
- Payment Card Industry Data Security Standard (PCI DSS) – Under PCI DSS, any organization that stores, processes, and/or transmits cardholder data must automatically get rid of cardholder data when it is no longer needed for legal, contractual, or business purposes. Businesses must use multiple layers of protection over cardholder data that is stored.
- Sarbanes-Oxley Act (SOX) – Under SOX, public companies must retain audit and review information for a minimum of seven years.
This is by no means an exhaustive list, so be sure to discuss the data retention laws and regulations that apply to your industry and state with your legal and compliance teams.
3. Align your data retention policy with your compliance policy
As with any legal obligation, your data retention policy should go hand in hand with your compliance policy. But compliance policies aren’t just about undergoing audits or maintaining CCPA compliance, for example; they also extend to internal procedures that prevent risky or illegal activities. Creating a data retention policy with this in mind can serve as a proactive mechanism against risk.
For instance, if it's against your organization's compliance policy to share sensitive customer information, your data retention policy should reflect where that sensitive information lives, how long it should live there, what its source's default retention settings are, and how to retrieve it if necessary. Filling out your data retention policy template with this in mind will make all the difference for security, privacy, and overall information governance.
4. Learn the ins and outs of your data sources
All too often, organizations make the mistake of setting data retention policies without getting to know the apps that hold their data. Until you understand the purpose of your applications and what their native capabilities and limitations are, you can’t set realistic data retention goals. This is particularly true in the era of shadow IT, where individual users download and use software without the knowledge of your organization’s IT team. Be sure to consider both internal and external data sources, including data received from customers, partners, and vendors, as well as backups and archives.
If it’s been some time since you last reviewed your data store, here are some emerging data sources to consider:
- Data from chat and collaboration tools such as Zoom, Slack, and Jira, including conversations, channels, activity logs, call logs, recordings, attendee data, and alerts
- Social media and user-generated content, such as reviews and comments
- Internet of Things (IoT) devices, such as smart sensors, wearables, and connected appliances
- AI data, such as data used for training machine learning models and developing AI algorithms
- Streaming data, such as event logs and clickstream data
- Biometric data, including fingerprints and facial recognition data
- Geolocation data from mobile devices and GPS-enabled systems
- Blockchain data
Although it’s impossible to know every application like the back of your hand, you’ll want to get as much information as you can from the people who do. Interview employees and ask them how they’re using the system, contact vendors and ask detailed questions around retention and discovery capabilities, and document it all when you’re done. A useful tool for recording the flow of data in your organization is a data map, which tracks how data moves from its source through processes and systems until its destination (archival or deletion).
You’ll also need to understand the types of data that your data sources collect, process, and store. Be sure to include both structured data, such as databases and spreadsheets, as well as unstructured data, such as memos, chats, and emails.
With a comprehensive understanding of your data, it becomes easier to spot and mitigate risk.
5. Outline when and how data should be archived or deleted
Once you know what data you have, where it lives, and what laws and policies pertain to it, it’s time to develop a retention period for it. Start with legal obligations: do you have to keep this data for one year? Five years? Seven years? Make sure that the retention period is recorded and enforced. If you don’t have a legal obligation to retain data, work with stakeholders in other departments to get a holistic view of your data’s value. If there are no clear benefits to retaining it, ask yourselves, “What is the downside to deleting this?” or “Can this be archived?”
After you’ve established a retention period, document the manner in which data should be deleted or archived. Will your applications delete data automatically, or will you have to do it manually? Where will the data be stored if archived, and how long should it stay archived? It’s important to think about the answers to these questions when customizing your data retention policy template.
6. Establish security measures for retained and deleted data
Include a comprehensive data destruction policy as part of the data retention policy. This policy should specify the methods, procedures, and responsibilities for securely deleting data once its retention period expires. Secure deletion methods such as data shredding and cryptographic erasure overwrite deleted data with random data patterns, making it extremely difficult for anyone to recover the original data.
AI tools can also assist in the archiving and deletion process. AI can index and move documents to a designated repository based on predefined criteria or retention policies. AI can also help enforce data retention policies by tracking the retention periods of documents, generating alerts for documents approaching their deletion deadline, and initiating deletion once the retention period expires. Finally, this technology can verify that documents are securely and completely deleted when they reach the end of their retention period and maintain deletion logs for auditing and compliance purposes.
Working with your IT team, ensure that only authorized personnel can delete records. Implement role-based access controls and multi-factor authentication, along with audit trails and data logging, so you can see who accessed what data and when and detect any suspicious activity.
7. Suspend data destruction during legal holds
When a legal hold is in place, it means that certain data relevant to a legal proceeding or investigation must be preserved and cannot be altered, deleted, or destroyed until the hold is lifted. Companies need a procedure for stopping any data retention actions that might affect data covered by the legal hold, including both manual and automated data deletion.
First, establish a method for notifying all affected personnel about the legal hold. Then provide clear instructions on preservation requirements. Check with IT to make sure your systems can preserve data, including metadata, in its original form without alteration.
Be sure to keep records of all steps you took to preserve your records. And make sure your process explains how you will lift the hold and resume normal data retention and deletion practices.
8. Set roles and responsibilities in data retention
It’s essential to establish clear roles and responsibilities under your data retention policy to ensure that all stakeholders understand their obligations and contribute to the policy's successful implementation. The first step is to identify all personnel involved in data management in your organization, including legal, senior management, IT, compliance, HR, and relevant department heads.
Then designate a committee to oversee the development, implementation, and enforcement of your retention policy. The committee’s leader should understand data retention requirements and relevant laws and regulations. The committee should help define data retention periods and implement the policy. Legal should advise on retention periods, and the IT team should set up and oversee access controls, encryption, data backup, and data deletion processes.
Finally, data owners should be tasked with determining the value and significance of data, while custodians must implement retention rules for specific data sets.
9. Train employees on your data retention policy
To improve compliance, employees must undergo regular training on the policy. Create clear, easily understandable training materials that explain the purpose and importance of the data retention policy, its key elements, data categories, retention periods, data handling procedures, and the consequences of noncompliance. Run interactive training sessions, whether in person or virtually, where employees can ask questions, and use real-life examples and scenarios to illustrate how the data retention policy applies to different data types and situations.
Schedule periodic refresher training sessions to reinforce the importance of the data retention policy and to inform employees about any policy changes or updates.
10. Monitor your policy regularly
Even after your data retention policy template is complete, the work doesn’t stop there. A good data retention policy requires ongoing maintenance to provide continual value. Make sure you’re constantly monitoring retention updates to your current applications and adding the details of new ones early on in their implementation.
Perhaps set a monthly or yearly check-in to ensure your policies are still adequate. Your data retention policies should never be outdated, so long-term thinking and process can help it remain an enduring source of truth.
How to use Onna’s data retention policy template
Now that you’ve covered all of your data retention bases, it’s time to put it in writing. We created this data retention policy template with all of the above considerations in mind and made it adaptable to your unique needs. Once again, it’s imperative that you consult your legal and compliance teams while filling this out. You may also find that you need to pull in other key stakeholders, such as HR, finance, and IT, throughout the process to make sure no stone is left unturned.
Now, without further ado, download our data retention policy template and check out our pointers on filling it out below.
Part 1: The retention schedule
Go to the first tab of our data retention policy template to locate the retention schedule. This will be your central source of truth to address what data you retain, how long you retain it, and why.
List the business functions that oversee critical data in your organization. We listed typical functions you can find at almost every organization, but depending on the size and structure of your organization, this column may look different. Feel free to add or subtract to this list and customize labels.
Note that sometimes responsibility over certain data may be shared by two business functions. If this is the case, make sure that it is reflected in record class names and/or notes.
Record class name
Label your record class. The record class name is the type of file you are saving within each business function. There can be multiple files to save within each business function, so be sure you assess their retention periods individually. It may even make sense to create subgroups of your record classes. For example, in human resources, you can break up files into a benefits category as well as an employment category. We’ve included some typical record classes for reference.
Record class code
Within record classes are record class codes to help organize data even further. Regardless of whether your record classes are saved in the cloud, on a hard drive, or a data room states away, you want to classify them according to a specific code to communicate to stakeholders what the retention requirement is.
Note: Certain record classes may belong to more than one business function. For example, your compliance, audit, and IT teams may have to collaborate on a security audit. Regardless, make sure you stick to one code for that record class.
Input the retention period for the corresponding record class. Remember, always take legal requirements into consideration first. If there are no legal requirements, consider business needs then operational efficiency to determine what to retain or delete.
Again, keep in mind there may be different retention periods for different record classes. Assess them on an individual basis.
If applicable, link to the citation that is driving the retention period. This way, you can easily access it for reference. We recommend conducting a refresh of your retention citations every two years to check for any updates.
It’s so important to document where the data within each record class lives. This way, you’ll know exactly where to collect data from in the case of litigation, data subject access requests, or any matter thrown your way.
Tip: The second tab of our data retention policy template will dive deeper into retention within data sources.
Check the box if the corresponding record class contains PII. By taking note of which record classes contain PII, you can better respond to sensitive privacy matters down the line.
Ask who is authorized to retain, delete, or archive data. Assign this person(s) as the authorized manager. They will oversee the entire lifecycle of their respective record classes.
Use this column to jot down any information that might be relevant about the corresponding record class. Is there a specific way this data needs to be archived or deleted? Is there a limitation in the data source that requires regular maintenance? It could be helpful to keep knowledge like this on hand.
Part 2: Retention and discovery overview for cloud applications
Go to the second tab of our data retention policy template to locate a retention and discovery overview for cloud applications. This section gives you a high-level overview of these apps’ native capabilities and limitations when it comes to data retention and eDiscovery. Chances are you already have a few of these apps in your tech stack, but if you don’t, feel free to add data sources and research of your own.
Cloud collaboration/communication apps
Here, we’ve listed some of today’s most popular cloud collaboration/communication apps. This is not an exhaustive list; we focus on the apps that we’ve found present the most challenges for data preservation and discovery and thus are likely the most helpful to analyze.
In this column, we list the data types we believe are worth preserving within each app. You may add or subtract to this list based on your individual needs.
Native retention settings
Here’s a breakdown of each app’s native retention settings and any limitations we know of. Note that new updates are being made all the time. Be sure to check in with your admin and the vendors themselves to get the latest updates and understand how your organization’s plan stacks up to changing legal and compliance requirements.
Native eDiscovery method
Here’s a breakdown of each app’s native eDiscovery methods and any limitations we know of. It’s crucial to have an eDiscovery method in place to help you find and take action on data at a moment’s notice.
Tip: Onna eDiscovery is compatible with all of the apps you see on this list.
In this column, outline the specific permission levels or licensing tiers required to access and modify data retention settings within each application. Cloud platforms frequently differentiate features and capabilities based on user roles or licensing subscriptions.
Understanding the necessary permission level or license tier helps ensure that designated personnel have proper access to manage retention policies effectively. It also assists in budgeting and planning decisions, especially when enhanced data management capabilities are tied to premium licensing options.
This column is intended to provide information about the standard data retention duration set by each application by default. Default periods serve as a baseline from which organizations can make informed decisions about customizing or extending retention settings to meet their specific needs.
Types of API
In this column, indicate the types of Application Programming Interfaces (APIs) offered by each application. Understanding the available types of APIs is crucial for determining how easily and effectively you can manage, retain, and discover the data within each respective platform.
Ready to take your information governance practices to the next level?
And there you have it — the best data retention policy template to get you started on your information governance journey. We hope this template helps sharpen your data retention efforts, regardless of your organization’s data retention maturity.
Remember to customize your template to your unique needs, foster cross-collaboration with other departments, and constantly monitor updates to laws, regulations, and technology. If you do this, your data retention policy will be sure to remain a cornerstone for security, compliance, information governance, and invaluable business insights for years to come.
Want to see how Onna can help you control data retention in today’s most popular cloud apps? Reach out to learn more.