What is a Data Retention Policy?

How many messages are in your inbox? Even those of us who subscribe to Inbox Zero may have thousands of messages squirreled away in subfolders or archived mailboxes.

Now multiply that number across all of the users in your company -- and add in your file server, your SharePoint sites, and other places where documents accumulate. There could be hundreds of thousands of documents floating around on your network. And while space constraints will eventually force you or your users to delete some of them, there is a better way to clean up the mess -- with a formal data retention policy.

What is a Data Retention Policy?

Data retention is, at its core, a business policy that is usually put in place by the C-suite, owners, or high-level management. But, as an IT person, you may be asked to help design or implement a retention policy, so it’s good to understand how it fits into your technical decision-making.

A data retention policy is a document that specifies how long your company stores documents that it creates. Once a certain amount of time -- the “retention period” -- has elapsed, the data is deleted or destroyed. This can happen automatically, or manually by those who are in charge of enforcing the retention policy.

In addition to saving storage space, retention policies provide several other benefits. First, they can protect the company from legal or other problems that could come from having too much data “on the loose”. If your company were to be sued or otherwise involved in litigation, any documents on your network may be legally discoverable -- meaning the other side gets to look through them, potentially helping their case and hurting yours. Or, if a hacker were to gain access to your network, they’d have an unlimited amount of data to pilfer and potentially use against you.

Besides specifying when to delete data, retention policies make sure that critical data is kept for the required amount of time. Most businesses must keep banking or tax data for a certain number of years, and corporations may need to keep corporate info, like financial statements, indefinitely. Additionally, if your company is covered by special regulations like HIPAA, Sarbanes-Oxley (SOX), or PCI-DSS, you must follow the retention requirements specified for your situation.

How To Develop a Data Retention Policy

If you’re asked to help develop or implement a retention policy for your company, there are a few things you’ll need to know in order to move the process along.

First, where does your company store data? Do you use regular file servers, or a workflow management system like SharePoint? How is email used by your company? Do users have areas to store personal documents on the network? What cloud services do you use to store data? This will give you a place to start from when creating an automated data retention solution.

Next, what kinds of data will be covered by the data retention policy? This is a question for management, but likely there will be at least a few categories that will need to be covered, like financial data, contracts, client data, etc.

Then, you’ll need to know what kinds of workflow changes will be implemented to back up the retention policy. Will users be asked to sort documents into the categories above? Is there already a filing system in place that will be useful to you? Again, the more information you know about your company’s goals and procedures, the more successful your retention policy implementation will be.

After the information has been gathered, the policy will be written up, usually by management. In regulated industries, a lawyer may need to look it over as well. But once the policy is created and approved, it’ll be your turn to implement it.

Our next few articles will cover implementing retention policies on various Microsoft services, both on-prem and cloud-based. Stay tuned!


E-N Computers is Virginia’s leading provider of business-friendly IT solutions. Contact us today to find out how we can help keep your data protected and your company running.