What is a Data Retention Policy & Why You Need One

What is Data Retention?

Data retention refers to the practice of storing customer data, such as names, phone numbers, email addresses, mailing addresses, and payment information. This information is required to validate users when they sign up or make a purchase on websites — for example, the Adidas online store will prompt customers to create an account when checking out and store that data for a better experience later.

Similarly, social media networks such as Twitter and Facebook require that you input your name, email address, and other personal information at the time of registration. Data retention is the action of capturing and storing this data.

What is a Data Retention Policy?

A data retention policy is each organization’s specific approach to capturing, processing, retaining, and deleting customer data. For example, a social media network may have inactive users that signed up over five years ago but have been inactive since. Its data retention policy may specify that data is deleted after a certain period to limit server costs and invalidate out-of-date information.

Such policies usually include a data retention schedule, or detailed guidelines for data retention. A standard data retention policy establishes clear guidelines on how a company archives, retrieves, and disposes of data. 

What Does a Data Retention Policy Include?

It’s important to state here that no two data retention policies are the same. The specifics of your retention policy depends on your business and the regulations that it must abide by. 

Having said that, here are some overlapping sections that you can add to your data retention policy:

1. The information you collect

In your policy, define the information you need to collect, and tell your clients or users what information they can expect to be captured by your business. This will depend on the type of business you have and the work that you do. For example, a media company may collect different customer details as compared to an ecommerce or SaaS firm. 

Generally speaking, the information collected usually includes the following:

• Name, surname, and contact details for registration
• Billing information, when payments are applicable
• User-generated content — if this is something that your business uses
• Information requested during a contest or special offer
• Feedback or reviews 
• Personal contact information, such as email addresses
• IP addresses
• Updates from third-party sources, such as an address change given by a courier

2. How do you process and use the stored information

Inform customers and clients what your business will use their data for. This may include:

• Shipping physical goods and items
• Providing, troubleshooting, and improving services
• Offering recommendations and personalization according to clients' preferences
• Complying with data laws
• Marketing and targeted advertisements
• Communicating with clients
• Fraud prevention and avoiding credit risks

You might also want to include some sections on how to handle data after it’s been captured. Our blog about best practices for handling data provides more information on this. 

3. Information shared with third parties

If any data you collect is going to be shared, state this in your policy and explain why. For example, your data might be shared with:

• People within your company
• Other service providers, such as delivery services
• Sponsors of a prize
• Other companies, for marketing purposes
• The government, to comply with an official request
• A court of law, as part of a legal process or to defend your business's rights and property 

4. User rights and privileges 

Data retention policies are both for internal and external use. A well-structured policy highlights user rights too — how they can request to have their data wiped from company servers and how long an organization retains that information for. Users have the right to unsubscribe from marketing services, such as emails, text messages, and push notifications, as well as modify and access their information on demand. 

Your data retention policy must outline this clearly. 

5. Handling of sensitive information

Sensitive information provides a peek into things like demographics, race, political affiliation, income levels, and age. This doesn’t apply to all businesses, but organizations like law firms, polling and opinion companies, and survey management companies may include it. 

Some examples are data around: 

• Religion
• Political opinions 
• Social security number
• Health details
• Genetics
• Union memberships

If your business captures this information, it’s definitely best practice to outline it clearly in your data retention policy. 

6. The length of data retention 

The length of data retention, known as a data retention period, is also an important aspect of your policy. This discusses how long all information is retained and whether the data is disposed of or archived after the retention period. 

7. Practices to safeguard data

Because data breaches are a real threat within all online businesses, it's important to define a plan for protecting your stored data. This should include a data security plan as well as what you'll do in case of a breach. 

8. Details on whether the information is transferred internationally 

If your business has clients in the EU or elsewhere internationally, it is necessary to be aware of this and any international laws that apply to you. GDPR is a prime example of an international law that can affect your data retention practices — even if you're based in the US.

How Do I Build My Own Data Retention Policy?

The section highlighted above provides a step-by-step guide to building your own data retention policy. If you would rather someone else do the heavy lifting, check out Enzuzo’s privacy policy generator. It’s 100% free and very easy to get started with.

A privacy policy generator helps you articulate how you collect, store, process, share, and delete customer data. Plus Enzuzo’s privacy policy generator is customizable to your business and allows you to add sections tailormade for your business. What’s more, it’s vetted by lawyers and designed to be compliant with major data privacy laws such as GDPR, PIPEDA, CCPA, and more.

Benefits of a Data Retention Policy

If you're thinking that it's a lot of work to develop a data retention policy, you haven't considered all the benefits it has to offer. Here are some of them: 

Reassuring Customers About Privacy

Customers like to know that their data is protected and won't be mismanaged. A robust data privacy policy helps them analyze how you store and process their data.

Returning clients are at the heart of your operations. Therefore, their privacy and peace of mind should be catered to.

Compliance

As discussed above, having a data retention policy is mandatory for businesses, under several laws in the U.S. and Europe. Hence, a data retention policy will save you from large fines. 

Efficiency

Storing too much data will likely slow the efficiency of your servers. A data retention policy helps you hold onto only the data you absolutely need to have, allowing your business to operate more smoothly. 

Customer service 

A data retention policy can differentiate your business from your competitors. A well-written policy delights your customers, leading to a superior user experience.  

Data breaches

Failing to purge multiple years of customer and client information can prove catastrophic in a large-scale data breach. From universities to large social media networks, no business is exempt from the possibility of a data breach. Limiting the amount of data you hold onto will minimize the impact of data breaches on your business.  

Responsive data

If a business has a large volume of stored data, finding the necessary information might be a timely process. By only keeping the necessary data, your business will have less information to sift through so you can take better advantage of the data you need. 

Data Retention Laws in the U.S.

In the United States, data retention laws are present at both the federal and state level.

These include:

• The Federal Trade Commission Act
• The Bank Secrecy Act
• The Fair Labor Standards Act
• The Federal Information Security Management Act

Other acts dictate the data preservation length for service providers. For example, one law governing electronic communication and remote computing services states that all records must be retained for 90 days and made available upon the request of a government entity.

Let's take a look at specific data retention laws in the U.S.

HIPAA

Meaning: The Health Insurance Portability and Accountability Act

Relevant to: Businesses within the healthcare industry. This may also apply to businesses that work with healthcare providers.  

Policy: Personal health data must be retained for a minimum of six years.

Sarbanes-Oxley Act 

Relevant to: Boards of directors and management of US public companies and public accounting firms

Policy: Audit data and review work should be retained for five years. These five years start when the audit or review has been concluded. 

Payment Card Industry Data Security Standard 

Relevant to: Businesses that accept transactions with credit cards. 

Policy: According to the regulation, data must simply be kept until it is no longer needed. However, there are specific instructions for businesses. The PCI DSS website has more details. 

Data Retention Policy Example

There are many examples of data retention policies to be found on the internet, but the one we particularly liked is from Gitlab.

The company calls it a Record Retention Policy and includes several relevant sections, such as:

• Record management
• Retention period
• Special situations

How to Back up Your Data

The process of backing up your data should be a part of your overall retention strategy to ensure that no important data goes missing. This backup should include not only the physical data but also information on the retention process and any relevant legal documents. 

Here are some safe ways to backup your data: 

Cloud storage

Cloud storage can be a good solution, but keep in mind that it can still be hacked. If you opt for cloud storage, make sure to have another backup in place.

Local data backups

Local data backups involve backing up information to a separate drive. It is recommended to back up your work daily and to only keep them on site if the location is fireproof. Some businesses even opt to store their data backups in security boxes. 

External hard drives

Small businesses may not have the financial capability to invest in expensive backup systems. In this case, external hard drives are a good option. They are easy to use and inexpensive. Keep these off site for extra safety. 

Local area networks

Using local area networks, also known as LAN, data can be backed up to another computer or server within the business. These servers can be secured in a locked cage or cabinet to prevent fire damage.