Businesses are generating data at an ever-increasing rate. From website analytics data to workplace messaging apps, it all adds up quickly. The commonly held attitude that “data is good, therefore we should collect and keep as much of it as possible,” combined with the relatively cheap cost of data storage, has resulted in many businesses amassing digital mountains of data with no plan for how to clean up unnecessary records.

This common situation is at odds with a number of data privacy laws, but that’s not the only concern. Practicing good “data hygiene” has other benefits beyond simple compliance, including improving data security and potentially reducing the costs of lawsuits.

Learn the basics of how to create a data retention policy for your company.

Why Create a Data Retention Policy?

Privacy compliance is probably the most pressing reason to create a data retention policy. For example, the California Consumer Privacy Act (CCPA) requires that businesses disclose the length of time they intend to retain each category of personal information they collect.

Beyond that, most privacy laws have a data minimization requirement, meaning businesses should only retain personal data for as long as is reasonably necessary to accomplish the purposes for which it was originally collected. If a business has no data retention policy, it probably has not made an effort to meet the data minimization rules.

Another good business reason for creating and sticking to a data retention policy is that it contributes to overall information security. By forcing your organization to delete old data it no longer needs, less data will be compromised if your system is ever breached. In the course of your review, you may find that you are retaining high-risk data (financial info, ID numbers, etc.) for little or no reason; getting rid of that data means it is no longer in danger of being stolen.

Lastly, deleting data on a regular basis can potentially save money down the road in litigation. In this day and age, it is always possible for a business to be sued, and discovery—the formal process of gathering evidence from opposing parties—is one of the most expensive parts of a lawsuit. The more data that is subject to discovery, the higher your legal costs.

How to Do It

Depending on your organization’s needs, a data retention policy can be as simple or as complicated as you want. It can also take many forms, but at its heart you can picture it as a spreadsheet with four columns of information:

• A description of each type of data
• The retention period
• The person or department that is responsible for the data
• Notes on how to delete the data, where it’s located, etc.

However, that simplicity can mask what is likely to be a fairly involved process. After all, you’ll be reviewing all of the data that your business collects, figuring out where it’s stored, determining how long it should be kept, and internally documenting the procedure for deleting it. Depending on the size of your company, there may be a lot to cover, and it will probably involve discussions with every department.

Here are some tips for creating your data retention policy.

1. Dividing up the data
   1. When dividing up the data into groups, each category should be granular enough to cover the specific needs of that data, but broad enough to keep the list from becoming repetitive.
   2. For example, having one category for “Customer Information” is too broad because it describes a wide variety of data that might be located in multiple departments (marketing, accounting, etc.), each of which may have different retention needs and erasure procedures. On the other hand, having a separate listing for “Customer Email,” Customer Postal Address,” and “Customer Telephone,” is probably overkill, and will make the policy needlessly complicated.
2. Be Realistic About How Long You Need Data
   1. Many people have a hoarding instinct when it comes to data, keeping it for way too long on the off chance it may be useful down the road. For example, if a customer placed one order 12 years ago, their contact information is probably of limited value.
   2. Privacy compliance issues come into play as well. While data privacy laws don’t define a maximum number of years you can keep data, they do require businesses to retain data only as long as necessary to achieve the purposes for which it was collected.
3. Involve All Relevant Stakeholders
   1. A top-down approach, where a single person simply dictates the policy for the whole organization, is unlikely to be successful. One person probably doesn’t understand the retention needs of every type of data. Also, you need buy-in from the various departments, otherwise they may just ignore the policy.
   2. Instead, treat the process like a negotiation. For example, the marketing department may think they need to keep all their data forever, but if you discuss why the retention schedule is necessary and jointly determine how long the data is actually useful, they are more likely to stick to the plan.
4. Consider Legal Obligations
   1. Take into consideration any legal requirements and industry best practices when determining the retention period. Accounting records, for example, typically must be kept for several years at a minimum. It may be necessary to consult with an attorney during the process.
5. Stick to the Policy
   1. Without following up and putting it into action, a data retention policy is just a document. Check in regularly with stakeholders to ensure that they are actually deleting data as promised. Remember, once you’ve publicly committed to specific retention periods in your privacy policy, you are obligated to put them into practice.

‍