Ready to Start Your Career?

Data Retention Policy

Nihad Hassan's profile image

By: Nihad Hassan

July 22, 2021

The world is moving increasingly into becoming fully digital. People are increasingly utilizing technology in all aspects of their lives, from work to study, socializing, entertainment, online communications, shopping, and online banking, to name a few.

Today, most data are created digitally and are never printed on paper. As digital technologies advance, we can expect massive amounts of data to be generated daily. According to weforum, by 2025, it’s projected that 463 exabytes (1 exabyte = 1 billion gigabytes) of data will be created each day globally – which is equivalent to 212,765,957 DVDs per day! If you think this number is big, look at Statista to see what happens in an internet minute (see Figure 1). internet in a minute chart

Figure 1: A Minute on the Internet in 2020

The ongoing spread of the COVID-19 virus has accelerated digital transformation, from several years to a few months! The lockdown length forced most organizations to shift their operations from on-site and in-person to working remotely, ensuring the continuation of the organization’s daily operations. The new work scenario has increased dependence on digital technology to run most work operations, resulting in more data.

Regardless of size and industry, organizations must keep information about their customers, suppliers, business partners, and third-party contractors. Stored information varies between sensitive and ordinary business data. Organizations must implement procedures to keep their sensitive data within their organization, and this what data retention policy is concerned about.

Data retention is defined as the continual storage of an organization’s data for various purposes such as compliance or other business requirements. For instance, an organization must retain data for different reasons, such as complying with different data protection laws (i.e., GDPR) or to restore data destroyed during a natural disaster or a cyberattack.

The data retention period depends on the type of data and the implemented state or federal regulations. However, it spans from three years to permanent.

Regardless of the reason(s) for storing data, an organization must follow proper procedures to maintain data retention and confidentiality. This certifies that unauthorized parties cannot view and modify the data. To ensure that all data is stored securely, an organization’s security team must work closely with the legal department and the business owner to formulate a data retention policy that addresses all the legal aspects concerning the stored data.

What is a Data Retention Policy?

A Data Retention Policy is a set of procedures implemented by an organization to retain its data for business needs and comply with various data regulations, such as HIPAA, GDPR, PCI, or industry guidelines.

The general purpose for creating a data retention policy is to make sure the following principles are followed:

  1. Stored data are adequately maintained and protected from unauthorized parties.
  2. Data records containing personal data no longer needed must be discarded without any delay using secure deletion methods.
  3. The purpose for gathering customers’ information, or other sensitive information, must be clearly outlined. This indicates that an organization has justification for collecting personal data and the length of time it will take to store the data.

By establishing a data retention policy, an organization can save storage costs by deleting unnecessary data while moving the unimportant data into the archive and retrieving it later when necessary.

How to Create a Data Retention Policy?

It’s not easy to create a data retention policy; an organization needs to research the different data protection and compliance regulations that it is subject to. The data must be categorized first, so an organization can identify the factors and policies that regulate its storage and to which period. The following suggest steps to create a data retention policy:

  1. Build a team that is composed of members or parties who will be affected by your data retention policy. Request a representative from the legal and administrative departments.

  2. Segment the data into categories—for example, sales, tax, and administration data.

  3. Determine the regulations or policies that must be implemented for each data item. For example, if your organization is processing or storing EU citizen’s data, it must comply with GDPR. If your company works in financial services, then it must comply with the PCI regulation.

  4. Record the time limit for storing each data item. For example, patients’ records must be retained forever.

  5. Communicate the retention policy to all employees within your organization and ensure all affected parties know of its implications.

  6. Keep the policy up to date. Sometimes a change in regulations or internal policies may require you to update the data retention policy. Make sure to revise it regularly to make sure it is current.

  7. Other questions you should consider while writing your data retention policy: a. Who is going to enforce this policy? b. How are you going to determine which regulation or policy applies to each data item? c. Who is responsible for managing each data item? d. When there is more than one data protection regulation that governs a specific data type, how will you determine which one to follow?


Data continues to increase at unprecedented rates, not only on primary servers and hard drives but also on backup drives and storage facilities. A data retention policy must be developed and updated regularly to ensure that retained data complies with the various data protection regulations. Without a data retention policy, organizations can lose their data due to cyberattacks or natural disasters, which will affect their daily operations.

Schedule Demo