Understanding Data Retention Policies: Importance, Implementation, and Best Practices
In 2021, JP Morgan was fined $125 million (later increased to $200 million) for its significant, firm-wide recordkeeping failures. The global financial institution did not properly enforce its communication rules, meaning that colleagues often discussed business matters on their personal devices. This communications data was not properly stored or monitored, leading to a lack of transparency around high-risk behaviours and, consequently, regulatory violations.
Written by a human
This example highlights the importance of implementing and following a concrete data retention policy, and in properly managing the data that flows in and out of your business. With a range of legal and regulatory constraints, organizations must consider their data collection, classification, access and disposal rules in order to truly own their data policies.
What is a Data Retention Policy?
A data retention policy is an organization’s protocol for storing, preserving, accessing and disposing of information. It defines the company’s rules around how they maintain the quality and integrity of the data and frames the way that employees should be interacting with it.
Clear data retention policies are important because they set the standards inside an organization and aim to prevent the misuse or mistreatment of data. Creating smooth operational processes (including data retention policies) also support businesses to comply with regulatory requirements, preventing data leaks, fraud and non-compliance penalties.
Public Health England: When Data Retention Practices Go Wrong
During the initial wave of Coronavirus in the UK, Public Health England was responsible for tracking emerging cases of the disease to monitor its containment (or spread) across the country.
They were relying on legacy software to record and retain this data, and while the team had planned on upgrading this, the pressing timing of the pandemic meant that they would have to make do with the current software.
What the team didn’t realize was that the data file could only hold up to 65,000 rows of data, enough to record around 1,400 cases of Covid. Without updating the database retention policy, around 50,000 cases of covid were input into the software and not retained, causing a significant tracing failure.
Since this error occurred before vaccines and other treatments had been rolled out, it’s likely that thousands of people who should have been told to self-isolate were completely missed, permitting further spread of the disease.
Types of Data Retention Policies
Break down the data retention meaning in your organization by the following three key categories to develop better policies:
- Organizational
- Legal
- Regulatory
| Type | Example data retained | Policy Excerpt Example | Key Benefits |
| Organizational | Analytics, Supplier payment data | “Access the information retained in the vendor database to match bank details against those in the invoice before payment is made” | – Create standardized processes for efficiency – Protect organizational security |
| Legal | Employment records, financial reporting data, | “Employment records, such as those related to redundancy, leave, and sickness, must be retained for at least six years” | – Collect evidence in the case of legal claims – Follow legal best practices |
| Regulatory | GDPR: customer personally identifiable data | “Include a disclosure on which customer information is collected, its purpose and the collection method when creating a customer sign-up form” | – Protect against data breaches, leaks and fraud – Maintain the company reputation and prevent financial penalties |
Key Components of a Data Retention Policy
There are some must-have categories for every data retention policy, including:
- Scope
- Data retention rules: authorization, purpose, storage methods and periods
- Data classification
- Data disposal methods
- Data security
Scope
The scope of a data retention policy defines its purpose, who it applies to and highlights the relevant regulations that the policy aims to adhere to.
For example, a company’s data policy in the U.K. may have to consider GDPR. The scope would give an overview of the regulation, why it’s important, and what the consequences of non-compliance may be. In this example, the policy rules will relate to GDPR to ensure that the company collects, stores and uses data only for the approved purposes. It would outline the fines, penalties, and reputational damage associated with choosing not to follow the policy.
Data retention rules
The rules must be spelled out clearly and unambiguously, without any room for misinterpretation. The rules should include:
- In which situations, or for what purpose, data can be retained
- Which categories of personal data should be retained
- Which secure storage methods must be used for the data (data archiving rules)
- Where is best to store the data
- For how long the data must be stored
These rules aim to create boundaries around which personal information can be collected, and which must not, in accordance with the regulation and best practices.
Data classification
Data classification refers to the way that organizations process their retained data for analysis, targeting or another business function. Data categories may include the likes of: administrative customer records, employee records, legal records, financial records, etc.
Each category may require different treatment, so it’s an important distinction to make as part of your retention data policy.
For example, certain Securities and Exchange Commission (SEC) regulations require financial records to be held for between 3 and 7 years, whereas personally identifiable customer data can be held for as little as 90 days.
Data disposal
Data disposal should outline how your organization gets rid of data, while keeping it secure and anonymous. This section should answer questions like:
- Should data be disposed of manually or automatically?
- Which methods are best to dispose of retained data?
- What checks are required before disposing of data?
- Who is authorized to perform data disposal?
- How often should you be disposing of data?
Data security
It’s been an ongoing theme throughout this piece, but data security should lie at the heart of any data retention policy. Rather than being its own heading within the policy, data security best practices should be considered and sprinkled throughout to ensure that your company is minimizing the risks of data leaks and cyberattacks.
Keeping your data retention policy updated
Data retention policies are an incredibly important tool for businesses to stay on the right side of the regulators. They provide a concrete framework for staff, and proof of your efforts to auditors.
But a data retention policy is only as good as its last update. Due to the pace at which the digital world moves, the rules and best practices are constantly evolving. It means that organizations must prioritize regular reviews of their data retention policy, including measuring how well it’s working, and commit to keeping it updated, in order to truly evolve as the data does.
For support with implementing a new data retention policy and maintaining your data archive, contact the team at Global Relay for a demo.