Part of:Data storage planning and policy development
Data retention and destruction policy template: Free download
The downloadable data retention and destruction policy template here will help with compliance. Use this structure to develop other IT data management policies.
As part of an overall data management program, IT organizations should establish policies for data retention and destruction.
A policy is an essential tool to ensure organizations follow the proper practices for these important phases of the data lifecycle. The policy is also an important indication of compliance with standards and regulations and is evidence for an IT audit.
What is data retention and destruction?
Retention of data, systems, databases, security parameters and other information resources is an essential part of data management and data protection. This process differs from normal data backups that organizations might use more frequently in daily business operations.
Organizations might need certain kinds of archival data, such as customer records and legal documents, to support future demands for evidence in litigation or auditing activities. This management differs from data in regular use by the firm's various systems, yet it should also follow guidelines for retention and destruction.
Data destruction activities ensure organizations properly dispose of data, media and hardware they no longer need for daily company operations. Numerous technologies are available to ensure that admins can delete data permanently and safely destroy the media.
What to include in a data retention and destruction policy
Data retention and destruction requires several key activities, and those procedures should do the following:
Be developed by a team that can address operational, legal, environmental, competitive and other issues associated with data retention and destruction.
Have input from internal departments for their retention and destruction requirements.
Be regularly scheduled.
Specify what organizations should retain and destroy.
Define resources for retention and destruction.
Identify retention locations, such as on site or remotely in cloud storage.
Identify the frequency of retention and destruction activities.
Define a means of validating that retention and destruction activities were successful.
Ensure retention and destruction activities are compliant with relevant standards and regulations.
IT organizations should consider the following issues when developing data retention and destruction policies:
Procedures for data retention and destruction.
Technologies for data retention and destruction.
Types of data and systems to retain and the associated metrics.
Circumstances under which organizations can destroy data media and systems.
Network infrastructure requirements to ensure organizations can complete retention activities.
Professional staff, both internal and external, charged with executing retention and destruction activities.
Emergency procedures if data retention and destruction activities are compromised.
Procedures for ensuring organizations securely store data and systems in an appropriate retention facility to mitigate damage from a data breach, ransomware attack or other cybersecurity event.
Procedures that ensure the protection of the environment and continuation of sustainability activities.
Procedures to validate data retention and destruction activities were successful.
Successful integration of data retention and destruction with other data management and data protection activities.
Complete the data retention and destruction policy template
First, begin by capturing the above data; it will serve as the starting point. Next, consider the following preliminary activities:
Ensure senior management has approved planned policy activities.
Establish a policy development team to facilitate these activities.
Examine existing IT policies for structure and format. Use relevant components for the new one.
Explore examples of other data retention and destruction policies and adapt them as appropriate.
Examine software products that can assist in preparing policies.
Components of a data retention and destruction policy
To start, a data retention policy can be simple. A few paragraphs might be sufficient, noting the metrics discussed previously. Organizations can include more detail if necessary. The following is a policy outline that organizations can format to address data retention and destruction issues:
Introduction. States the fundamental reasons for having a data retention and destruction policy.
Purpose and scope. Provides details on the policy's purpose and scope.
Statement of policy. States the policy in clear, specific terms.
Policy leadership. Identifies who is responsible for approving and implementing the policy and issues penalties for noncompliance.
Verification of policy compliance. Delineates what is needed to verify that data retention and destruction activities are verifiable and compliant with the policy and any other IT policies.
Penalties for noncompliance. Defines penalties for failure to comply with policy.
Appendices (as needed). Incorporates added reference data, such as lists of contacts and service-level agreements.
Refer to the data retention and destruction policy template for additional guidance.
Upon completion of a draft data retention and destruction policy, have it reviewed by IT department management, internal audit and legal departments at a minimum.
Next steps
Upon completion of a draft data retention and destruction policy, have it reviewed by IT department management, internal audit and legal departments, at a minimum. Invite other relevant departments to comment if time permits.
Ensure the policy addresses compliance with relevant standards and regulations. Also ensure the policy addresses environmental and sustainability considerations to demonstrate that it is consistent with green IT procedures.
Circulate the policy to appropriate internal departments and external parties if needed. Establish a date that the new policy goes into effect. Send notifications to employees and senior management. Provide briefings to senior management on the policy if needed.
Launch the policy, establish a schedule to periodically review and update it, and begin maintenance and continuous improvement activities.
Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.
