Your Guide to Drafting a Data Retention Policy

Each day, organizations across the globe handle massive amounts of information, and ensuring it's managed securely, compliantly, and efficiently is no walk in the park. The nitty-gritty of data retention, from knowing how long to keep specific files to wading through a maze of regulations, can be tricky. But, slip-ups can cost more than just a hefty fine — think reputation hits and those dreaded security breaches. So, whether you're at the helm of a fledgling startup, steering a corporate ship, or just curious about the lifespan of digital data in an organization, this guide has got your back.

What is Data Retention?

Data retention outlines the strategies for managing and maintaining data to meet legal and business archival obligations. Various retention policies consider legal, privacy, economic, and informational needs to establish the duration of retention, archiving guidelines, data formats, and the appropriate methods for storage, access, and encryption.

What is a Data Retention Policy?

A data retention policy outlines the principles that organizations follow to manage the storage of information for operational needs, all the while aligning with relevant legal and regulatory requirements. This policy primarily focuses on preserving data for later use, arranging the data in a way that allows efficient access, and eliminating unneeded information. These guidelines specify which data is archived, its retention duration, and its subsequent handling post-retention — be it archiving or destruction. An integral component of a robust data retention policy is the secure deletion of retained information, often achieved by encrypting the data upon storage and subsequently eliminating the encryption key after a predetermined period, thereby rendering the data and its copies inaccessible from both online and offline storage.

What Is a Data Retention Period?

The timeframe an entity holds onto information is termed the data retention period. Several elements, including the type of information, its planned application, its continued significance, and relevant laws, affect the duration of this span. While the exact time can vary among different companies or sectors, it usually spans from three to ten years. After the information has served its designated function, it is essential to either safeguard it, make it anonymous, or eliminate it in the right manner.

Data Retention Laws

Various industries are governed by a diverse set of regulations and standards pertaining to data retention policies:

• PCI DSS Data Retention Guidelines: The Payment Card Industry Data Security Standard (PCI DSS) remains neutral on specific durations for cardholder data storage. However, PCI DSS Requirement 3.1 emphasizes the need for a data retention and disposal policy to limit storage only to the extent needed for legal, regulatory, or business justifications. It is important to understand that post-authorization storage of sensitive authentication data, as highlighted in PCI DSS Requirement 3.2, is strictly prohibited.
• HIPAA Data Retention Guidelines: While the Health Insurance Portability and Accountability Act (HIPAA) does not delineate specific data retention periods, it mandates adherence to certain protocols. While email archiving is not mandated by the HIPAA Security Rule, subsection 45 CFR §164.316(b)(2)(i) stipulates a minimum retention of six years for communications, including emails, containing protected health information (PHI). The duration for medical record storage differs across states, thus making it imperative for Covered Entities to also align with their respective state regulations.
• SOX Data Retention Guidelines: The Sarbanes-Oxley (SOX) Act stipulates differentiated durations based on data types. For example, while receivable/payable ledgers and tax returns must be retained for seven years, customer invoices require a five-year storage, with payroll records and bank statements necessitating indefinite retention.
• GLBA Data Retention Guidelines: As per the Gramm Leach Bliley Act (GLBA), companies should enforce stringent access controls for information storage and uphold a six-year email retention period.
• ISO 27001 Data Retention Guidelines: Organizations adhering to the International Organization for Standardization ISO 27001 framework are obligated to maintain data logs for a minimum of three years to ensure data security and mitigate potential regulatory penalties.
• NIST Data Retention Guidelines: The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, SI-12, prescribes that entities "manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." This signifies that data retention should span the entire data lifecycle, potentially extending post system disposal.
• GDPR Data Retention Guidelines: The General Data Protection Regulation (GDPR) does not specify exact time frames for holding onto data. According to Article 5(e) from GDPR, you should only retain personal information for the duration needed to serve its intended use.
• FISMA Data Retention Guidelines: The Federal Information Security Management Act (FISMA) necessitates a minimum data retention period of three years for contractors and federal agencies.

Data Retention Best Practices

When crafting a data retention policy, it is essential to recognize that each organization has distinct requirements. However, several universally recognized best practices should guide this process. These include:

• Assemble an Expert Team: Establishing a comprehensive retention policy demands collaboration from various internal departments, including legal, finance, and accounting. If in-house expertise is limited, consider engaging consultants or contractors. Ensure the team includes professionals well-versed in data retention standards and practices.
• Determine Essential Data: Begin by cataloging all organizational data, understanding what is crucial to retain. This entails considering both industry-specific regulations and your operational needs. Sometimes, business imperatives might necessitate longer retention than legal mandates.
• Distinguish Data Types: Not all data carries the same value. Refrain from adopting a one-size-fits-all retention policy. Instead, define specific categories of data and assign tailored retention durations to each.
• Prioritize Data Protection: Embed robust protective measures within the policy to thwart breaches and unauthorized access. This can include encryption, physical safeguards, and data loss prevention tools. Prevention is always more cost-effective than post-breach remediation.
• Incorporate Mobile Device Protocols: In our "bring your own device" era, it is imperative to account for data on personal devices. Solutions like remote data wiping can be instrumental when these devices are misplaced.
• Monitor User Activity: Utilize tools to observe user interactions with data, facilitating detection of suspicious behaviors and ensuring policy adherence. For instance, if an individual attempts to access soon-to-be purged data, these systems can intervene and alert administrators.
• Plan for Legal Holds: If litigation arises, organizations should have mechanisms to pause automatic data deletions, preserving subpoenaed information.
• Oversee Third-party Vendors: Extend your policy's reach to vendors accessing your data. Contractual agreements should clearly define their data protection responsibilities, coupled with regular compliance monitoring.
• Draft Two Policy Versions: For organizations under regulatory scrutiny, it is beneficial to have a detailed, legally-compliant version of the policy and a simplified internal version to ensure broader understanding across stakeholders.
• Educate the Workforce: It is crucial that every staff member understands the policy, especially those frequently interacting with data. They should be familiar with retention durations, access protocols, and purging procedures.
• Annual Policy Review: Regularly revisit and update the policy to stay abreast of evolving regulations and technological advancements, ensuring its continual relevance and efficacy.

Remember, a robust data retention policy not only ensures compliance but also fortifies the organization against potential threats and liabilities.

Data Retention Policy Examples

Most prominent websites, applications, and online services that you engage with regularly likely maintain and publicly disclose their data retention policies. Here are several examples from familiar companies you may have interacted with:

• Google
• Facebook
• Apple
• Amazon
• Microsoft
• Netflix

How Do I Create a Data Retention Policy?

Crafting a policy and schedule for data deletion or archiving is no easy task. Thorough research is essential to determine the appropriate regulations, policies, and unique considerations relevant to each data category, and to account for any outliers. Collaboration from every designated individual and team is crucial, and a diversity of opinions is to be expected. As a foundational guide, the best practices highlighted earlier in this article can be invaluable.

By enlisting the expertise of independent IT security and compliance professionals, such as our team at Compass IT Compliance, you can streamline the process and ensure full adherence to all relevant regulations and frameworks. Moreover, we provide tailor-made data retention policies, customizable to align with your specific business landscape and branding. Reach out to us today to discuss your unique policy needs!