What is Data Retention? How to Create a Policy that Protects Privacy

Your smartphone likely holds thousands of pictures, of which you only really want to keep a fraction. But you rarely—if ever—find time to delete those pictures and organize the remaining ones.

The result? You waste time searching for a particular image you want to show a friend. You spend money on cloud storage to backup pictures you don't need. Or, if you don't, you risk losing all of them—including the ones you do want to keep—when your phone gets stolen or broken.

Your phone's photo gallery is a miniature version of the data challenge many companies face. They store too much information they don't need, lack processes to dispose of that data, and, in doing so, create unnecessary legal and security risks. Data retention can counter this problem. To understand how we'll look at:

• What is data retention?

• What is a data retention policy?

• Benefits of having a data retention policy

• How to create a data retention policy

• Simplify data retention with Segment

What is data retention?

Data retention is the storing of information for a specified period. Data retention is primarily relevant to businesses that store data to service their customers and comply with government or industry regulations.

Data retention is critical for modern organizations. Without it, companies might store too much information unnecessarily long, which leads to operational inefficiencies, increased costs, and legal and security risks.

What is a data retention policy?

A data retention policy specifies how long a company stores different types of information and how they'll dispose of that data afterward. Specifically, such a policy includes:

• A classification of the information your organization collects from whom, and where in the business this happens

• Specifications on how long you'll keep each piece of information, in what format, and for what reason

• Details on which laws and industry standards apply to the information you collect and how your company ensures compliance with those rules

• Explanations on how you store, secure, and back up information

• An overview of how you dispose of data and how customers can request deletion of their data—a common requirement of most privacy regulations

• Responsibilities for different policy elements and what to do in case of policy violations or data breaches

Benefits of having a data retention policy

While regulatory compliance is often the primary reason companies create a data retention policy, it offers benefits besides addressing legal requirements.

Makes data more accessible. For one, a data retention policy ensures the information you do keep becomes more accessible, cheaper to store, and easier to use for everyone in your organization. Like the photos on your smartphone, it's easier to find what you're looking for if you don't have to sift through piles of useless information. Plus, you don't have to pay for the storage of data you don't need.

Makes data safer. Data retention also increases the safety of your data. Every piece of information you store—even a customer name or email address—is potentially valuable to a cyber thief. Less information stored means fewer data to protect and reduced criminal interest because there's less bounty to gain from targeting your company.

Builds customer trust. Capturing less information to begin with also builds consumer trust. Imagine a company presents you with a lengthy form like the one below just to receive their newsletter or attend a webinar. You might think twice: once about registering and once about what that company does with all your personal information.

How to create a data retention policy

You can create a data retention policy by following the below steps.

Identify legal & regulatory requirements

Start creating your data policy by reviewing governmental and industry regulations that apply to your business, like the GDPR, CCPA, HIPAA, and SOX. Such ordinances usually have rules on information you can't store but also on data you must keep for a certain period.

Personal information on customers, for example, can usually only be kept for a specific purpose and limited time. On the other hand, financial information often needs to be retained for many years for potential taxation and accounting audits.

Your business might also have contractual obligations to customers or partners regarding information you need to or can't store. And, when litigation happens that involves your company, you're always obligated to collect and preserve all potentially relevant information to that case.

Classify data based on business needs

Once you know which data your business legally has to retain—or can't—you need to understand what additional information you require to run your business and deliver products and services to customers. Such an evaluation should include all departments that deal with or rely on customer data which, these days, is almost everyone.

Make an inventory of all the data every team captures and for what reason. This assessment should include digital information—like documents, databases, emails, and images—but also physical data, like contracts and hard copy reports in filing cabinets.

Segment’s Privacy Portal makes it easy to classify your incoming data.

For each data type, first scrutinize why retention is necessary. "Just in case you might need it in the future" is not a valid reason to capture or retain information. Once a data type passes scrutiny, determine how long it needs to be kept based on its—likely degrading—usefulness over time in relation to its stated purpose.

Assign responsibilities to enforce data retention policies

Your data retention policy needs to indicate who's responsible for the retention and disposal of each data type in your inventory. The policy should also state what needs to happen at the end of the retention period.

Some financial information, for example, can be removed from your servers where it's accessible in real-time but should still be archived on a backup server or disk for several years before you destroy it. You also have the option to anonymize data instead of deleting it, but only when it's done in such a way that the information can never reveal the original person it relates to.

Besides such responsibilities, you also need to specify—usually together with legal, HR, and IT departments— what happens in the case of security breaches, violations of the policy, and other emergencies or unforeseen circumstances. Your policy should always include contact details for internal reference and customers who want to contact you.

Implement the policy and plan follow-up audits

We recommend you finalize your policy by creating several versions: one specifically for regulators that might have to include legal jargon and another version for internal reference and publication on your website as part of your overall privacy policy.

Segment's privacy policy, for example, can be accessed from the footer of every page of our website and includes a section on data retention. Here are other examples from Google, Wikipedia, and Spotify. Such pages are also excellent locations for giving your customers access to controls over their data and deletion requests.

Specify how often you will review and update the policy and perform internal audits on your data retention practices. This frequency largely depends on the sensitivity of the information you handle. Banks, for example, might do internal audits every month, whereas other businesses can rely on quarterly or even annual checks.

Make sure to consider how you will educate your employees about the policy and any changes you make in the future. A Data Protection or Compliance Officer (DPO / DCO) usually takes on this task if your organization has one.

Simplify data retention with Segment

A Customer Data Platform (CDP) like Segment simplifies data retention by centralizing all your organization's information in one place and automating much of the work needed to classify and monitor your customer data.

Our Privacy Portal product automatically creates an inventory of your customer data, keeps it up to date, and allows you to confirm or modify the classification. It also classifies data as it comes in, so you only store data that regulators allow and your customers have consented to. 

Segment offers two products for complying with the two most crucial recent privacy regulations, the European GDPR and the CCPA in California. These products include features for managing user consent and automatically executing deletion and suppression requests from customers across your data ecosystem.

With a CDP like Segment and its privacy tools, managing the retention of your company's data might just require less effort than sorting out those thousands of photos on your smartphone.