How to create a data retention policy

A data retention strategy is helpful for organisations of all sizes and in all fields. Determining what data needs to be stored, how it needs to be stored, and for how long is a challenging task, especially due to the growth of cloud-based apps and the prevalence of industry guidelines and laws. However, if you follow the right guide to making a data retention policy, you will have a good foundation to build on. 

This article helps you stay organised and gain better insight into the lifespan of your data by guiding you through data retention best practices.

What is a data retention policy?

A data retention policy can help organisations comply with the UK General Data Protection Regulation (UK GDPR) and better control the sensitive data they collect and store. Keeping sensitive information for too long can be a violation of the Regulation, even if the information is being stored safely and is not being abused.

Data retention rules focus on how long and where specific types of data should be kept. Data sets that have surpassed their retention term are either discarded or archived in secondary or tertiary storage as historical information. This ensures that primary storage is always in pristine condition and that the company is always in compliance.

In addition to ensuring legal and regulatory compliance, an efficient data retention strategy may help you streamline operations and get greater value from your data. Today, an organisation's most significant resource is its data. Despite organisations’ best efforts, personal data may get dispersed or disorganised as it flows through the organisation's many information systems. An established data retention policy is the key to restoring order to this chaotic data landscape.

What is the objective of a data retention policy?

Generally, organisations store unused personal data because it does not incur any extra cost. The belief is that this data may come in handy in the future, therefore it cannot be discarded. However, doing this poses a risk to this data.

Keeping unnecessary data can expose it to cyber threats like hackers, and the cost of dealing with a security breach can be very high. So, to limit the damage, organisations in the EU are advised to store data only for legitimate reasons. 

The objective of a data retention policy is to act as a guideline for how long you can store data and under what circumstances. This raises the question of what a data retention period is.

What is a data retention period?

There is a certain amount of time that information must be kept for legal or regulatory purposes. Typically, there is no universally accepted time frame. It depends on the company and industry, ranging from although often it is anything from three to ten years, depending on the company and the industry. The information should be deleted, anonymised, or preserved once its purpose has been met. On some occasions, specific data may be selected for permanent retention..

Once the required retention term has ended for a certain kind or series of information, it is normally destroyed using an approved and effective destruction procedure — This renders the information useless.

Alternatively, depending on the specified retention duration per format, it may be changed from one form to another (such as paper to electronic). For permanent preservation, information of historical worth beyond its "usable value" may be "accessioned" into the possession of an archive organisation.

Does your organisation need a data retention policy?

It depends. A retention policy details the categories of records you preserve, their intended uses, and the lengths of time you plan to keep them. They provide a framework for determining and documenting standard retention periods for various types of personal data.

Standard retention periods for different types of information held should be established and documented whenever possible to fulfil documentation obligations. Your organisation should also have a mechanism in place to assess retention at regular intervals and to make sure that these retention durations are really being followed. Your policy should also be flexible enough to permit early deletion if necessary.

A formalised retention strategy might not be necessary for a small business that only processes low-risk data on occasion. Even if your organisation does not have a formal retention policy in place, you are still responsible for routinely reviewing the data storage and erasing or anonymizing any information that is no longer required.

What laws do data retention policies comply with?

Data retention policies are established by many organisations for the sole purpose of complying with local, state, and federal laws and other industry restrictions. What information must be kept and for how long is often laid out in detail in various laws and regulations. Your organisation might face monetary, civil, and/or criminal fines if it does not adhere to these requirements.

Here are a few laws that have particular data retention policy requirements to give you a clearer idea of the importance of data retention in compliance:

  • The UK GDPR - Article 5(e) states that personal data should be retained in a form which allows the identification of data subjects only for the required period of time. GDPR allows for extended storage of personal data as long as the personal data is used purely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1).
  • The Health Insurance Portability and Accountability Act (HIPAA) - HIPPA mandates that records be kept for a minimum of six years from their creation or the date they ceased to be effective, whichever is longer. Additionally, it states that “documentation must be made available to those responsible for implementing the procedures to which the documentation pertains and must be reviewed periodically and [updated] as needed, in response to environmental or operational changes affecting the security of the electronically protected health information”.
  • The Payment Card Industry Data Security Standard (PCI DSS) - Any organisation that handles credit card information in any way (including storage, processing, or transmission) is required by PCI DSS to either delete the information or put several safeguards in place to prevent unauthorised access.

Now that you have an idea of what to expect from a data retention policy, let’s take a look at how to create your own policy.

How do you create a data retention policy?

A strong data retention policy is an evolving document, so it is critical to lay a solid groundwork for its continued effectiveness. Your data retention strategy should be adaptable to a shifting and continuously expanding data inventory, allowing you to both comply with legal obligations and get insight into the retention and discovery capabilities of your apps. 

The following steps can help your organisation's data retention policy adapt to new circumstances and continue to support expansion and development for years to come.

Step 1: Identify the types of data and where they come from

Compile a complete inventory of all cloud and on-premise software and data systems that store company information. Following this, you may sort the information into categories that are most useful to your organisation. Getting your industry-related data in order is the first step.

This method of structuring your data retention policy will not only make it easier to identify and separate out the most sensitive data, but it will also draw attention to the mandatory data retention periods that are required by law. When you have your most private information separated, sorting through the rest is far less of a security concern.

Step 2: Understand which laws apply to you

Data retention policies are best created after careful consultation with legal and compliance departments. To put it simply, knowing what rules and regulations apply to your business is more important than meeting the demands of your customers. When more than one law applies to your organisation, it might lead to data retention rules that conflict with one another. In this scenario, you should write down a plan of action for when this conflict inevitably arises and describe the specific circumstances that would bring it about.

Step 3: Make sure your data retention policy is in sync with your compliance policy

A data retention policy and a compliance policy should go hand in hand, just as legal requirements do. However, compliance standards go beyond external procedures like audits and CCPA compliance to include internal safeguards against potentially harmful actions. Information security, personal privacy, and general governance may all benefit from a data retention policy that is designed with this in mind.

Step 4: Study your data sources

Before determining how long to keep data, you need to first understand the function of your apps and their natural strengths and weaknesses. It is difficult to have expert knowledge in every application, but you should still learn as much as possible from those who do: Gather information by conducting in-depth interviews with employees, contacting vendors to obtain answers to comprehensive questions on retention and discovery capabilities, and then documenting the results. After that, identifying threats and taking precautions is simple.

Step 5: Make an outline for data retention periods

Finding out what kind of data you have, where it is stored and what regulations and rules apply to it is the first step in determining how long you should keep it. Begin with your legal requirements, such as how long you are required to store this information. Keep records for the required time period. Work with stakeholders in other departments to gain a complete picture of your data's worth if you aren't required to keep it by law. Investigate if the information can be erased or archived if you can't think of any good reason to keep it.

Once a retention time has been determined, the process by which files will be erased or archived must be recorded. How quickly or slowly do your programmes remove data? Where and for how long should the data be archived? When tailoring your data retention policy, the answers to these questions are key factors.

Step 6: Regularly monitor your policy

For maximum effectiveness, a data retention policy must be regularly updated. Keep an eye out for retention changes to existing apps and include the particulars of new ones as soon as possible. You should ideally do a checkup once a month or once a year to make sure your coverage is still sufficient. Data retention rules should be a constant, so planning ahead may help make sure they hold up over time.

Every organisation should have a data retention policy or a method of storing and discarding data. The following are a few examples of data retention policies from well known companies:

What are the benefits of having a data retention policy?

There are multiple benefits to having a data retention policy. Few benefits are:

  • Reduced risk of security breach fines - Even if an organisation keeps all the data it has to by law, it must nevertheless be able to produce it for auditors upon request. If an organisation keeps what is necessary, it can find what it needs in a fraction of the time, lowering the risk that it will be penalised for being unable to deliver data.
  • Reduced storage cost - Cloud storage can be expensive, especially for organisations with large quantities of data. Streamlining your data and keeping only what you require can significantly reduce these costs.
  • Automatic compliance - A well-defined policy can help businesses retain different types of information while also complying with the law.
  • Improve disaster recovery - Outages and disasters can occur at any moment in a world where security threats are constantly present. Protect business-critical data and ensure a speedy recovery by building backup and recovery procedures to your data retention policy. 

Establishing a data retention policy correctly is crucial. Knowing a few best practices can help you with that.

What are some data retention policy best practices?

While there is no universally applicable data retention policy (requirements vary based on factors such as your company's size, the sector in which it operates, the types of data it processes, etc.), there are several best practices that should be followed when developing this strategy:

  • Determine your business needs - Even though compliance with the law is important, any data retention rules you put in place should be crafted to expedite and improve upon mission-critical organisational operations.
  • Create the policy as a team - You need input from several stakeholders, such as your in-house legal counsel, finance department, accounting team, and other departmental managers and supervisors, to develop a data retention policy that is really comprehensive and reflects the interests of your whole business.
  • Simplicity is key - When writing a retention policy, be sure to keep the wording easy to understand. This will raise the chance of compliance and make it more approachable to staff members. And keep in mind that any adjustments may be made gradually over time, so do not be afraid to start out slowly.
  • Invest in an archiving solution - There are archiving tools for digital communications including email, social media, and text/SMS messages that allow you to set your own data retention policies and automate the data preservation process. Search for a service that can be customised to your specific needs, provides powerful search capabilities, and has built-in safety measures.
  • Be transparent - Give your customers, subscribers, and users an idea of the data you want to keep and how you plan to utilise it. If at all possible, allow people to decide how their information is utilised.


A data retention policy is the solution for your data storage and compliance needs. Whether you are a small, medium or large organisation, you can benefit from having clear data processing and retaining methods especially due to national laws. Gain the trust of your stakeholders and operate in a safe legal space by getting started on your data retention policy now.

Need more help? Consult one of our experts today.


About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk