What is Data Retention? How to Create a Policy that Protects Privacy

Your smartphone likely holds thousands of pictures, of which you only really want to keep a fraction. But you rarely—if ever—find time to delete those pictures and organize the remaining ones.

The result? You waste time searching for a particular image you want to show a friend, or money spent on cloud storage you don’t need.  

Your phone's photo gallery is a miniature version of the data challenge many companies face. They store too much information that isn’t vital to their organization, lack processes to dispose of that data, and, in doing so, create unnecessary legal and security risks. Data retention can counter this problem. To understand how we'll look at:

• What is data retention?

• What is a data retention policy?

• Benefits of having a data retention policy

• How to create a data retention policy

• Simplify data retention with Segment

What is data retention?

Data retention refers to how an organization stores and activates its data within a specific timeframe (i.e., a data retention period). 

Data retention is critical for modern organizations. Without it, companies might store too much information for an unnecessarily long amount of time, which leads to operational inefficiencies, increased costs, along with legal and security risks (e.g., certain privacy laws and regulations stipulate how long an organization should store data). 

What is a data retention policy?

A data retention policy is a set of guidelines and instructions on how long a company should store different types of information, and how they'll dispose of that data afterward. A retention policy might include:

• What data you collect, why you collect it, and where it’s stored. 

• Specifications on how long you'll keep different data points, in what format, and for what reason. 

• Details on which laws and industry standards apply to the information you collect and how your company is ensuring compliance.

• An overview of how you dispose of data and handle user deletion requests—a common requirement of most privacy regulations.

Why are data retention policies important?

There are both legal and ethical concerns when it comes to collecting data. Many organizations are subject to some kind of privacy laws or regulations, which can specify where data should be stored (e.g., data residency), and the right of the user to have their personal data deleted should they request it. 

Without a data retention policy, an organization is opening themselves up to disorganization and vulnerabilities when it comes to protecting and properly managing data. By having a retention policy in place, businesses can have internal alignment and clarity on how they’re remaining compliant with relevant laws, the security measures they have in place, and ensure they’re only collecting the data they need. 

Types of data included in retention policies

The type of data that will be included in a retention policy will vary depending on the business or industry. But a few common types of data you’ll often see referenced include:

• Customer data, like a person’s name, address, purchase history, communication records 

• Employee data like HR records and payroll information

• Legal and compliance data, like contracts, regulatory compliance records, incident reports, etc. 

• Operational data, like server and network activity or supply chain data.

It’s worth noting that some types of data may be subject to overarching privacy laws and regulations. Take healthcare companies in the U.S., who are subject to HIPAA. While specific data retention requirements may vary by state, HIPAA is a federal law that requires Covered Entities and Business Associates to keep a record of their policies and procedures around the disclosure of protected health information (and HIPAA compliance) for six years from the date of its creation. 

Data retention policy examples

Data retention policies will vary slightly from business to business. However, depending on the industry and the location, different organizations may be subject to the same laws and standards.

Highly regulated industries like financial services often have state-specific regulations around how long they retain data and how it’s disposed of, along with federal regulations like the Fair Credit Reporting Act (FCRA). 

Here’s Twilio’s Data Retention and Deletion policy for a real-life example of what might be included. Sometimes information on how a company handles data retention may be included in its privacy policy, like in this example from Wells Fargo. 

Benefits of a data retention policy

While regulatory compliance is often the primary reason companies create a data retention policy, it offers benefits besides addressing legal requirements.

Better organization

The main goal of data retention is to stipulate how long different types of data should be stored. However, there are more than a few indirect benefits of doing this, with one being: better data organization. 

To successfully implement a data retention policy, incoming and existing data needs to be properly classified and organized based on its risk level and intended use. Having this system in place makes it easier to locate and access specific data when needed. 

Segment’s Privacy Portal helps automatically classify highly sensitive data based on risk level. 

Makes data safer 

Data retention can help contribute to safety and security in a few important ways. First, data retention policies dictate how long data should be stored, and when it should be deleted or archived. This helps reduce the risk of data breaches or unauthorized access, along with freeing up storage space in primary systems. 

Second, data retention policies help companies stay in line with applicable laws and encourage organizations to only store and manage vital information, a best practice when it comes to protecting customer data. 

Builds customer trust 

Capturing only vital customer information is also a great way to build trust.  Imagine a company presents you with a lengthy form like the one below just to receive their newsletter or attend a webinar. You might think twice: once about registering and once about what that company does with all your personal information.

How to create a data retention policy

Creating a data retention policy requires careful planning, understanding applicable laws and regulations, and more. Below, we outline a few important steps to consider when creating your own guidelines. 

Identify legal & regulatory requirements

Start creating your data policy by reviewing governmental and industry regulations that apply to your business, like the GDPR, CCPA, and HIPAA. Such ordinances usually have rules on information you can't store but also on data you must keep for a certain period.

Personal information on customers, for example, can usually only be kept for a specific purpose and limited time. On the other hand, financial information often needs to be retained for many years for potential taxation and accounting audits.

Your business might also have contractual obligations to customers or partners regarding information you need to or can't store. And, when litigation happens that involves your company, you're always obligated to collect and preserve all potentially relevant information to that case.

Classify data based on business needs

Once you know which data your business legally has to retain—or can't—you need to understand what additional information you require to run your business and deliver products and services to customers. Such an evaluation should include all departments that deal with or rely on customer data which, these days, is almost everyone.

Make an inventory of all the data every team captures and for what reason. This assessment should include digital information—like documents, databases, emails, and images—but also physical data, like contracts and hard copy reports in filing cabinets.

For each data type, first scrutinize why retention is necessary. "Just in case you might need it in the future" is not a valid reason to capture or retain information. Once a data type passes scrutiny, determine how long it needs to be kept based on its—likely degrading—usefulness over time in relation to its stated purpose.

Assign responsibilities to enforce data retention policies

Your data retention policy needs to indicate who's responsible for the retention and disposal of each data type in your inventory. The policy should also state what needs to happen at the end of the retention period.

Some financial information, for example, can be removed from your servers where it's accessible in real-time but should still be archived on a backup server or disk for several years before you destroy it. You also have the option to anonymize data instead of deleting it, but only when it's done in such a way that the information can never reveal the original person it relates to.

Besides these responsibilities, you also need to specify—usually together with legal, HR, and IT departments— what happens in the case of security breaches, violations of the policy, and other emergencies or unforeseen circumstances. Your policy should always include contact details for internal reference and customers who want to contact you.

Implement the policy and plan follow-up audits

We recommend you finalize your policy by creating several versions: one specifically for regulators that might have to include legal jargon and another version for internal reference and publication on your website as part of your overall privacy policy.

Segment's privacy policy, for example, can be accessed from the footer of every page of our website and includes a section on data retention. Here are other examples from Google, Wikipedia, and Spotify. These pages are also excellent locations for giving your customers access to controls over their data and deletion requests.

Specify how often you will review and update the policy and perform internal audits on your data retention practices. This frequency largely depends on the sensitivity of the information you handle. Banks, for example, might do internal audits every month, whereas other businesses can rely on quarterly or even annual checks.

Make sure to consider how you will educate your employees about the policy and any changes you make in the future. A Data Protection or Compliance Officer (DPO / DCO) usually takes on this task if your organization has one.

Simplify data retention with Segment

A Customer Data Platform (CDP) like Segment simplifies data retention by centralizing all your organization's information in one place and automating much of the work needed to classify and monitor your customer data.

Our Privacy Portal automatically creates an inventory of your customer data, keeps it up to date, and allows you to confirm or modify the classification. It also classifies data as it comes in, so you only store data that regulators allow and your customers have consented to. 

Segment offers two products for complying with the two crucial privacy regulations, the European GDPR and the CCPA in California. These products include features for managing user consent and automatically executing deletion and suppression requests from customers across your data ecosystem.

With a CDP like Segment and its privacy tools, managing the retention of your company's data might just require less effort than sorting out those thousands of photos on your smartphone.