Various business organizations and companies collect, process and store different kinds of data on a daily basis. However, with the new GDPR laws in place and increasing awareness of data sensitivity, it is becoming essential for companies to have strict and specific policies on data retention.
The template below provides directions and guidance to organizations for creating a Data Retention Policy. The template highlights the critical sections and also provides examples of policy statements for each section.
Data Retention Policy Templates
GDPR Data Retention Policy Template
Electronic Data Retention Policy
Most organizations perform a majority of their routine data transactions, collections and processing online through e-mails, MS Office Suite documents, and other such tools. Additionally, employees using company-provided devices also submit and collect data through the Internet in the form of cookies and forms.
Most of the data retention policy rules mentioned in the previous section apply to the electronic data as well. However, it becomes essential to have a dedicated set of guidelines and procedures for dealing with the electronic data. Some of the example policy guidelines are mentioned below:
- All employees of the organization using company-provided devices should ensure that the Internet History and Cookies are erased on a regular basis.
- All employees must ensure that the company e-mail communication is limited to business-related issues. The employees should continuously delete any other non-business information on a regular basis.
- The business organization should use dedicated shared databases and servers to store all essential electronic information in a standard format.
- The employees should ensure that any redundant or duplicate data is deleted from storage on a regular basis.
- The IT department of the business organization should ensure the cleaning and maintenance of the server storage spaces on a regular basis.
- Any essential electronic information should be printed and stored as a physical document for safety purposes.
The policymakers can choose to customize the section policy guidelines based on company needs and procedures.
Data Retention Policy Template Ireland
HR Data Retention Policy Template
Data Disposal and Destruction
Once the data retention period is over, it becomes necessary for the organizations to dispose of the data. It is crucial that this data is destroyed in a systematic way. This section provides guidelines and procedures for data disposal and destruction.
Data Review: This section should describe details regarding data review and the people responsible for the review. Some example guidelines are mentioned below.
- The organization must regularly review all data, either electronic or physical, in order to decide whether the data needs to be destroyed or not. The data retention period needs to be considered here.
- Each Business Department head is responsible for review and decision to destroy for their data categories and data records.
Safe Destruction and Disposal: This section should describe in detail all procedures and guidelines that the team needs to follow when it comes to data destruction and disposal. Below are some examples that can be included as policy guidelines in this section.
- Any personal data should be considered as sensitive and confidential and hence it should be subject to anonymous and secure deletion or disposal.
- Electronic data should be deleted in such a way that there is no opportunity for hackers or unknown elements to retrieve it and misuse it.
- The company ensures that all the regulatory and data protection laws are met in the process of data disposal and destruction.
- The company is responsible for proper awareness and delegation of responsibility regarding data protection and data disposal. Employees are allowed to dispose of data pertaining only to their personal creations and emails in which they are marked. Sensitive and Confidential data disposal is the responsibility of the IT department.
Accidental Data Loss: It is the company’s responsibility to ensure that the necessary controls and measures are in place which prevents the permanent loss of crucial company information and data records. This section should include procedures to deal with any unintentional and accidental loss of critical data.
School Data Retention Policy Template
Data Retention Australia
Data Retention Policy Templates UK
Enforcement and Disciplinary Actions
This section should ideally describe the roles and responsibilities of the enforcement committee which is responsible for data retention and data disposal. Additionally, this section should contain guidelines regarding disciplinary actions to deal with policy breaches and malicious intent.
- All employees are expected and strictly encouraged to follow the policy guidelines on data retention and data disposal.
Data Retention Policy Template
Purpose and Overview
The main purpose of data retention policy of a company is to keep and organize important information of the company for future reference.
This section should help inform all the stakeholders associated with the data regarding their obligations and responsibilities for data retention and data disposal.
For any organization that acts as a data controller or a data processor, the data retention policy is compulsory, according to the GDPR rules. Hence, this policy should be applicable on a company-wide basis for all the employees. Moreover, if there are external stakeholders such as agencies and contractors dealing with the data, the policy should also include them. The organization can also choose to design and implement this policy on a per-department basis if there is a difference in the category of data handled and the processing of that data for all individual departments.
on the basis of data categories such as physical documents, electronic data, and others.
- Record: The organization defines “Record” as any medium, physical or electronic, which holds any information about the past or the present.
- Personal Data: The organization defines “Personal Data” as any information which can directly or indirectly identify a unique individual successfully.
Document Data Retention Policy
This section describes the general data retention policies, the data categories, and policies for specific data categories.
General Data Retention Policy Guidelines:
This section should describe all policies that are generic in nature and apply to all data irrespective of their type or usage. Some examples which the organization can include are below.
- The organization is obligated to explicitly mention the duration of data retention period to all the concerned stakeholders.
- In case the organization is under court litigation, the typical duration of data retention could be by-passed.
- The organization reserves the right to archive data, beyond the active use of data, for official business purposes or because of the official judiciary or governmental regulations.
- Accounting and Finance
- Corporate Records
- Legal Files and Papers
- Personnel Records
- Property Records
- Tax Records
- Medical Records
Additionally, it is essential to have this data in a reliable data inventory and storage with specific data parameters which can help in identification and decision making. Some of the standard data parameters for efficient recording and storage are:
- Name of the record
- Record Owner Details
- Record Creation Date
- Retention Due Date
- Type of the record
- Location of the record
The policymakers can customize this section as per their needs and processes.
Data Retention Duration: This section is perhaps the most crucial part of the entire policy document. The data retention period describes the duration for which the data can be archived and stored by the company. Generally, this period depends on the data category and its usage. The policymakers should discuss with relevant stakeholders and then decide the data retention period for each category.
The data collected and processed by the company can be divided into two parts for the purpose of data retention policy:
Some examples of policy guidelines are as below.
- Each Business Department of the organization is responsible for creating the data retention period for all kinds of data the department collects, uses, processes and stores.
- Each Business Department of the organization is responsible for specifying the Active and the Archived period of each of the data records under a specific data category explicitly.
- There can be any changes, edits or exceptions
A good practice to ensure comprehension and readability is to create a dedicated Summary Table which contains the Active and Archived Retention Period as columns for each row of specific Data Record. An example table is below:
|Data Category||Active Retention Period||Archived Retention Period|
|Medical Records||3 Years||30 Years|
|Accounting and Finance Records||5 Years||30 Years|
|Personnel Record||Till Employee is employed||10 Years|
The policymakers can modify the above table based on specific organization needs and procedures.
Data Retention Measures: Since the organization is archiving essential data, it is necessary to have specific guidelines on storage and protection so that data retention remains accurate, safe and secure.
- The company ensures that all archived data is stored in a protected environment.
- The electronic data retention should ensure encryption of archived data and protection from any other threats such as virus, corruption or malware.
- The physical data retention should ensure storage of all archived documents in a secure and a protected location which saves it from any physical damage.
The above template provides comprehensive information on how to create a Data Retention and a Data Disposal policy for any business organization.
The policymakers can use this template as a starting guide to draft the policy for their company and add any necessary customizations based on their company processes and needs.