Many businesses handle all manner of data and don't have a clear method for deciding when to keep it and when to delete it. This can cause practical problems and risk violating a range of laws. A clear data retention policy avoids such problems and reduces confusion. Here's what you need to know and do.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
- 1. What Is A Data Retention Policy?
- 2. What Data Does A Retention Policy Cover?
- 3. What Rules Affect Data Retention?
- 3.1. Personal Data Rules
- 3.2. Other Rules
- 3.3. Reconciling Different Rules
- 4. Other Benefits of a Data Retention Policy
- 5. What Should I Include In My Data Retention Policy?
- 5.1. Reviews
- 5.2. Anonymization/Pseudonymization
- 5.3. Definitions
- 5.4. Secondary & Tertiary Data
- 5.5. Backups
- 5.6. Access Requests
- 5.7. Deletion Methods
- 5.8. Deletion Control and Authority
- 5.9. Applicable Laws
- 6. Tips For Writing Your Data Retention Policy
- 7. Where Else Do I Need To Show My Data Retention Policy?
- 8. Summary
What Is A Data Retention Policy?
At its simplest, a data retention policy is a set of rules about how long you keep data before destroying it. Most policies go into more detail and address factors such as the way you handle different types of data, how you decide how long to keep data, how you destroy it, and when you get rid of it.
A data retention policy can be an internal guide that tells your employees what to do. It can also be an external guide to inform people about your data retention, particularly personal data subjects (the people the data is about.)
What Data Does A Retention Policy Cover?
When it comes to data retention, you have three main categories of data to think about:
- Data where rules limit how long you can keep it. This most commonly involves personal data: information about an identifiable individual such as a customer.
- Data where rules require you to keep it for at least a certain period. This most commonly involves financial information that you may need for tax records, audits and other official access.
- Data where it's entirely up to you how long to keep it. This could include anything from internal memos to product plans. This is more about whether keeping the information is beneficial rather than legally necessary.
In this guide we'll mainly concentrate on the first category. That's because rules that limit how long you can keep data (particularly personal data) often have other requirements that affect whether you need a publicly accessible data retention policy and what you put in it.
What Rules Affect Data Retention?
Personal Data Rules
The main focus of this guide is rules on personal data retention. These are more commonly about maximum limits on how long you keep data. Most of these rules are variations on a common theme. For example:
- Europe's GDPR says you can only keep data in a way that identifies an individual for as long as necessary for the specific purpose for which you (lawfully) processed it. You can't keep it longer to use for another reason or “just in case”.
- Canada's PIPEDA says you should destroy, erase or anonymize data once you no longer need it for the “identified purpose”, meaning the original reason which made it legal to collect or use the data.
- Australia's Privacy Act says you must destroy or de-identify personal information once you no longer need it for any permissible purpose.
- Brazil's LGPD says you must keep personal data for the shortest period possible to accomplish the purpose for which you collected it.
Other Rules
Depending on your location and business sector, you may have other rules that affect data retention, often with a minimum retention period. For example, in the US rules include:
- Sarbanes-Oxley Act for publicly traded companies.
- Payment Card Industry Data Security Standard rules for companies accepting credit card payments.
- HIPAA rules for health data.
You may also come under freedom of information laws that mean you must keep some data for a minimum period.
Reconciling Different Rules
In some cases, one rule (such as a privacy law) may suggest you need to delete data while another law suggests you may need to keep it. In such cases, you may need to read the fine print of the laws. For example, privacy laws will often have an exemption for cases where you are legally required by another law to keep data. In other cases, retaining but anonymizing the data will satisfy both laws.
Other Benefits of a Data Retention Policy
As well as complying with various laws, having a clear data retention policy can:
- Help you cut costs by reducing data storage.
- Reduce confusion among staff about what to do.
- Make it easier to track what data you still have (and what data you have destroyed). In turn this makes it easier to deal with data access or Freedom of Information requests.
What Should I Include In My Data Retention Policy?
The most important thing to include in your data retention policy is a clear timeline of when you should delete data. Simply having an automatic deletion period for all data may not be enough to work in all cases and with all laws. Instead, it's usually better to categorize different types of data and have an appropriate timescale for each one.
Google gives some specific examples:
Here are some other key points to consider and include in your policy.
Reviews
In some cases, you won't automatically delete data after a set period. Instead, you will review the data to see if it is still needed (and whether deleting it would cause any problems.) Detail this review process and timescale in your data retention policy.
Anonymization/Pseudonymization
With some data, you may decide not to delete it after a set period but instead make it anonymous. This can mean literally stripping it of all personally identifying details or reorganizing it so that it can only be linked to an individual by cross-referencing with other data.
For example, a university that runs a study might need to keep personal data accessible for a short period to allow follow-ups with participants to clarify any queries. At some point keeping this personal data will no longer be appropriate, but keeping the (anonymized) study data itself is still valuable and necessary.
Detail this anonymization timescale in your data retention policy.
LTVPlus explains when and why it uses these techniques:
Definitions
Clearly explain how you calculate any time periods. For example, don't just say "one year" without explaining whether this means a financial year, a calendar year or literally one year from a given date. If it's the latter, explain when the clock starts ticking, for example if it's from the point when the data is created.
Secondary & Tertiary Data
Some businesses do not use a simple binary process of either keeping data or destroying it. Instead, they will distinguish between data they keep readily available, and data which they archive. This means they retain the data but it's not instantly available. This can be called secondary data, or even tertiary data depending on whether the business has multiple levels of archiving and access.
It can be useful to address archived secondary and tertiary data in your data retention policy, particularly if the archived data is better secured or has more restricted access. However, remember that this data still counts towards any retention time limits and data subjects must know you have kept it.
Civil Wills details how its archiving affects data retention:
Backups
You should have a clear policy on how long you keep any backups of data. This is mainly about protecting yourself against data loss, so it's more important in an internal data retention policy than a publicly accessible one.
Europlacer goes into more detail about maintaining data:
Access Requests
Occasionally people may exercise a right to see data, for example via a data access request under a personal data privacy law, or via a freedom of information law. This may involve data that you still have (meaning you will need to provide it) but which is scheduled for deletion in the near future.
In such cases it's good practice to hold on to this data a little longer in case the person who made the request has any follow-up questions or complaints. Data protection regulators around the world give different timescales but keeping the data and extra three to six months will usually be adequate.
If you adopt such an approach, clearly state it in your data retention policy to make sure you and your staff are consistent.
Native goes a step further and suspends data deletion indefinitely:
Deletion Methods
Set out how you will physically delete data to guarantee compliance and security. This could include physically destroying paper documents or storage media. If you are deleting digital files, detail methods such as replacing the files with random data and/or encrypted data to make the original data truly inaccessible.
SOS Children's Villages gives specific details of its deletion methods:
Deletion Control and Authority
Make clear which staff members have the authority (and the physical access) to delete data in line with your data retention policy. Have clear technical and organizational controls to stop other staff being able to delete data.
Remember that deleting data is a form of data processing under many personal data laws. This means that you need to cover it in security access controls in the same way as you restrict who can access or alter personal data.
The HRCDC sets out specific people with authority in data retention and destruction:
Applicable Laws
List which laws apply to your data retention practices. This brings several benefits:
- It shows the public (including people whose personal data you use) that you have tried to follow the rules and protect people's data rights.
- It shows your staff that the policy is based on legal obligations rather than just internal rules.
- It will quickly highlight if you have overlooked any legal obligations, giving you a chance to put things right.
Tips For Writing Your Data Retention Policy
Before planning and writing your policy, identify all relevant stakeholders in your business. This includes departments which handle personal data, your legal department, your compliance department, and the staff who have the physical access to maintain or delete data. Make sure they all have input into the policy.
Review your policy at least once a year to make sure it still serves your needs and reflects any changes in applicable laws or technology.
Think about the organization of the document. A common approach is to split it between a "policy" section which sets out the key principles for how you retain or delete data, and a "schedule" which sets out specific timelines for keeping data and specific actions and processes when you come to delete it.
Iress uses a dedicated schedule:
Where Else Do I Need To Show My Data Retention Policy?
Most privacy laws say you must detail your data retention practices in a Privacy Policy. For example, the GDPR specifically requires you to tell people how long you will keep their data, or how you will decide when to delete it.
In cases where you rely on consent to make data processing legal, knowing how long you will keep data is a key part of people being able to make genuinely informed choices about giving consent.
A good balance is to have your Privacy Policy briefly cover the key principles of how you retain data along with a link to your full data retention policy.
Many privacy laws also have rules about what happens if you hire a third party to process data on your behalf. Laws such as the GDPR say you must have a binding agreement with the third party that sets out rules for how they handle the data. This agreement should include relevant details from your data retention policy.
Note that the GDPR specifically says this "data processing agreement" must include a clause that instructs the third party (the "data processor") to either delete the data or return it to you once they've finished providing services to you.
Summary
A data retention policy shows your staff and the public how you keep and delete data. This can include both the timescales for keeping data and the rationale for deleting it. The policy may need to comply with laws setting out both maximum and minimum periods to keep data.
A good policy will explain when, how and why you delete data. It will also cover processes such as archiving and anonymizing data. It should help not only ensure consistency in your staff's actions, but prove to people that you handle their personal data responsibly.
Make sure you get input from all relevant people in your organization such as data protection compliance officers, your legal department and your tech department. Review your data retention policy regularly.
