Organizations of all sizes and industries benefit from a comprehensive data retention policy. Between a sprawl of cloud-based apps and industry guidelines and laws, outlining what data needs to be stored, how it needs to be stored, and how long it needs to be stored, is no easy feat. However, with the right data retention policy template, you’ll have a solid starting point. In this article, we’ll walk you through data retention best practices and provide you with a downloadable data retention policy template to help you get organized and gain better visibility into your data’s lifecycle.

What is a data retention policy?

Before you fill out your data retention policy template, let’s first cover what a data retention policy is. Your data retention policy is your organization’s central guidelines for handling its data. It helps you determine the purpose of your data, what laws (if any) apply to it, how long it should be kept, and how it should be archived or deleted when the time comes. An effective data retention policy not only helps you stay compliant with laws and regulations but also helps you cut inefficiencies and extract business value from your data. Data is the most valuable asset today’s organizations have. In fact, companies use an average of 88 apps across their workforce leaving critical information scattered, disorganized, and undiscoverable. A mature data retention policy can solve for this disorganized data landscape. In the next section, we tell you how.

How to set up a sustainable data retention policy

Before filling out our data retention policy template, you’ll want to do some preliminary work. A robust data retention policy is a living, breathing document — which means setting up a sustainable foundation is key. When meeting legal requirements and understanding the retention and discovery capabilities of your apps, your data retention policy should be flexible to an ever-changing, and rapidly growing data inventory. By following these steps, your data retention policy template will sustain your organization’s changes and growth for years to come.

1. Identify where your data lives and classify it

The first step in filling out a sustainable data retention policy template is identifying where your data lives. Make an exhaustive list of every app and data system in the cloud or on-premise that holds company data. Once you’ve done this, classify the types of data most pertinent to your organization. Organizing data that’s related to your industry is a good start. For example, if you’re in Healthcare, this might be PII such as dates of birth, social security numbers, and medical history, whereas if you’re in finance, this might be credit scores, PINs, or loan information. 

Organizing your data retention policy in this way will not only help you parse out your most sensitive information first, but also highlight the data retention periods that automatically apply to you by law. Once your most sensitive data is categorized, it becomes easier (and less risky) to sort through the rest. We also recommend a data classification schema with categories such as “confidential”, “proprietary”, and “public.”

2. Understand which laws apply to you

Before filling out your data retention policy template, consult your legal and compliance teams closely. Legal requirements take precedence over business needs, and understanding which laws and regulations apply to your organization comes first. Sometimes, if more than one regulation applies to your organization their data retention requirements will conflict. In this case, you’ll want to outline what instances would create this conflict and document a plan of action for when the time comes. Below are some laws and regulations to consider:

• General Data Protection Regulation (GDPR) – Article 5 explains that when EU citizens’ personal data is collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which data are processed.” Those purposes must be clearly explained at the time of collection.

• California Consumer Privacy Act (CCPA) – CCPA does not have a set retention period, but it does require organizations to hold onto PII in the event that its rightful owner asks for it to be disclosed.

• Health Insurance Portability and Accountability Act (HIPAA) – There is no HIPAA retention period for medical records, however, there is a requirement to keep HIPAA-related documents for a minimum of six years. In addition to this, each state has its own laws governing the retention of medical records, and they can vary based on the nature of the records and to whom they belong.

• Equal Employment Opportunity (EEO) – EEO requires that employers keep all personnel or employment records for one year. If an employee is involuntarily terminated, their personnel records must be retained for one year from the date of termination.

• The Gramm-Leach Bliley Act (GBLA) – GLBA requires financial institutions to retain privacy notices forever and provide consumers with the option of prohibiting the sharing of their confidential information with non-affiliated third parties.

• Bank Secretary Act (BSA) – Under the BSA, financial institutions must keep records for five years.

• Fair Labor Standards Act (FLSA) – Under the FLSA, Employers must retain payroll records, collective bargaining agreements, sales and purchase records for up to three years.

• The Payment Card Industry Data Security Standard (PCI DSS) – Under PCI DSS, any organization that stores, processes, and/or transmits cardholder data must automatically get rid of cardholder data or instill multiple layers of protection over cardholder data that is stored.

• Federal Records Act of 1950 – The Federal Records Act of 1950 requires every federal agency to establish an ongoing records management program in cooperation with The National Archives and Records Administration (NARA).

• Sarbanes-Oxley Act (SOX) – Under SOX, public companies must complete an annual audit providing proof of accurate, data-secured financial reporting. SOX specifies different data retention dates for different document types. Here’s a good breakdown of what they are.

By no means is this an exhaustive list, so be sure to review with your legal and compliance teams to understand what applies to you.

3. Align your data retention policy with your compliance policy

Similar to legal obligations, your data retention policy should go hand in hand with your compliance policy. But compliance policies aren’t just about undergoing audits or maintaining CCPA compliance, they also extend to internal procedures that prevent risky or illegal activities. Creating a data retention policy with this in mind can serve as a proactive mechanism against risk. For example, if it’s against your organization’s compliance policy to share sensitive customer information, your data retention policy should reflect where that sensitive information lives, how long it should live there for, what its source’s default retention settings are, and how to retrieve it if necessary. Filling out your data retention policy template with this in mind will make all the difference for security, privacy, and overall information governance.

4. Learn the ins and outs of your data sources

All too often organizations make the mistake of setting data retention policies without getting to know the apps that hold their data. Until you understand the purpose of your applications and what their native capabilities and limitations are, you can’t set realistic data retention goals. Although it’s impossible to know every application like the back of your hand, you’ll want to get as much information as you can from the people that do: Interview employees and ask them how they’re using the system, contact vendors and ask detailed questions around retention and discovery capabilities, and when you’re done, document it all. Once you’ve done this, it becomes easy to spot and mitigate risk.

5. Outline when and how data should be archived or deleted

Once you know what data you have, where it lives, and what laws and policies pertain to it, it’s time to develop a retention period for it. Start with legal obligations — do you have to keep this data for one year? Five years? Seven years? Make sure that retention period is recorded and enforced. If you don’t have a legal obligation to retain data, work with stakeholders in other departments to get a holistic view of your data’s value. If there are no clear benefits to retaining it, ask yourselves, “What is the downside to deleting this?” or “Can this be archived?”
After a retention period is established, you should document the manner in which data should be deleted or archived. Will your applications delete data automatically or will it have to be manually done? Where will the data be stored if archived and how long should it stay archived for? It’s important to think about the answers to these questions when customizing your data retention policy template.

6. Monitor your policy regularly

Even after your data retention policy template is filled and complete, the work doesn’t stop there. A good data retention policy requires ongoing maintenance to provide continual value. Make sure you’re constantly monitoring retention updates to your current applications and adding the details of new ones early on in their implementation. Perhaps set a monthly or yearly check-in to ensure your policies are still adequate. Your data retention policies should never be outdated, so long-term thinking and process can help ensure it remains an enduring source of truth.

How to use Onna’s Data Retention Policy Template

Now that you’ve covered all of your data retention bases, it’s time to put it in writing. We created this data retention policy template with all of the above considerations in mind and made it adaptable to your unique needs. Once again, it’s imperative that you consult your legal and compliance teams while filling this out. You also may also find that you need to pull in other key stakeholders such as HR, Finance, or IT throughout the process to make sure no stone is left unturned.

Now without further ado, download our data retention policy template and check out our pointers on filling it out below.

Part 1: The Retention Schedule

Go to the first tab of our data retention policy template to locate the retention schedule. This will be your central source of truth to address what data you retain, how long you retain it, and why.

Business Function

List the business functions that oversee critical data in your organization. We listed typical functions you can find at almost every organization, but depending on the size and structure of your organization, this column may look different. Feel free to add or subtract to this list and customize labels. It’s important to note that sometimes responsibility over certain data may be shared by two business functions. If this is the case, make sure that is reflected in record class names and/or notes.

Record Class Name

Label your record class. The record class name is the type of file you are saving within each business function. There can be multiple files to save within each business function, so be sure you assess their retention periods individually. It may even make sense to create sub-groups of your record classes. For example, in human resources, you can break up files into a benefits category as well as an employment category. We’ve included some typical record classes for reference.

Record Class Code

Within record classes are record class codes to help organize data even further. Regardless of whether your record classes are saved in the cloud, on a hard drive, or a data room states away, you want to classify them according to a specific code to communicate to stakeholders what the retention requirement is. Note: Certain record classes may belong to more than one business function. For example, your compliance, audit, and IT teams may have to collaborate on a security audit. Regardless, make sure you stick to one code for that record class.

Retention Period

Input the retention period for the corresponding record class. Remember, always take legal requirements into consideration first. If there are no legal requirements, consider business needs, then operational efficiency to determine what to retain or delete. Again, keep in mind there may be different retention periods for different record classes. Assess them on an individual basis.

Retention Citation

If applicable, link to the citation that is driving the retention period. This way, you can easily access it for reference. We recommend conducting a refresh of your retention citations every 2 years to check for any updates.

Data Sources

It’s so important to document where the data within each record class lives. This way, you’ll know exactly where to collect data from in the case of litigation, data subject access requests, or any matter thrown your way. Tip: The second tab of our data retention policy template will dive deeper into retention within data sources.

PII Documentation

Check the box if the corresponding record class contains PII. By taking note of which record classes contain PII, you can better respond to sensitive privacy matters down the line.

Authorized Manager

Ask yourself, who is authorized to retain, delete, or archive data? Assign this person(s) as the authorized manager. They will oversee the entire lifecycle of their respective record classes.

Notes

Use this column to jot down any information you feel is relevant to know about the corresponding record class. Is there a specific way this data needs to be archived or deleted? Is there a limitation in the data source that requires regular maintenance? Any knowledge like this could be helpful to keep on hand.

Part 2: Retention and Discovery Overview for Cloud Applications

Go to the second tab of our data retention policy template to locate our retention and discovery overview for cloud applications. This section gives you a high-level overview of these apps’ native capabilities and limitations when it comes to data retention and eDiscovery. Chances are you already have a few of these apps in your tech stack, but if you don’t, feel free to add data sources and research of your own.

Cloud Collaboration/Communication App

Here, we’ve listed some of today’s most popular cloud collaboration/communication apps. This is not an exhaustive list, however, we focus on the apps that we’ve found present the most challenges for data preservation and discovery and felt would be helpful to analyze.

Data types

In this column we’ve listed the data types we believe are worth preserving within each app. You may add or subtract to this list based on your individual needs, but what we’ve listed we feel are necessary to preserve.

Native Retention Settings

Here’s a breakdown of each app’s native retention settings and any limitations we know of. It’s important to note that new updates are being made all the time. Be sure to check in with your admin and the vendors themselves to get the latest updates and understand how your organization’s plan stacks up to legal and compliance requirements.

Native eDiscovery Method

Here’s a breakdown of each app’s native eDiscovery methods and any limitations we know of. It’s crucial to have an eDiscovery method in place to help you find and take action on data at a moment’s notice.

And there you have it — the best data retention policy template to get you started. We hope this template helps sharpen your data retention efforts regardless of what stage of maturity they’re at. Remember to customize your template to your unique needs, foster cross-collaboration, and constantly monitor updates to regulation and technology. If you do this, your data retention policy will be sure to remain a cornerstone for security, compliance, information governance, and invaluable business insights.