As part of an overall data management program, IT organizations should establish policies and procedures for the retention and destruction of data.
Organizations may need certain types of archival data, such as client records and legal documents, to support future requests for evidence in litigation or audit activities. Retention of data, systems, databases, security settings and other information resources is an essential part of data management and protection. This process differs from normal data backups that organizations can use more frequently in their day-to-day business operations.
Data destruction activities ensure that organizations have the correct data, media, and hardware they no longer need for day-to-day business operations.
What to include in a data retention and destruction policy
Data retention and destruction requires several key activities, and these procedures should:
- be developed by a team capable of resolving operational, legal, competitive and other issues related to data retention and destruction;
- have the contribution of internal services for their conservation and destruction requirements;
- be regularly scheduled;
- specify what should be kept and destroyed;
- define procedures and resources for retention and destruction;
- identify the location of retention;
- identify the frequency of retention and destruction activities;
- identify the retention period for data and systems; and
- define a means of validating that the conservation and destruction activities have been successful.
IT organizations should consider the following issues when developing data retention and destruction policies:
- data retention and destruction procedures;
- data retention and destruction technologies;
- the types of data and systems to keep and the associated metrics;
- the circumstances in which organizations may destroy data media and systems;
- network infrastructure requirements to ensure that organizations can complete retention activities;
- professional staff, both internal and external, responsible for carrying out preservation and destruction activities;
- emergency procedures if data retention and destruction activities are compromised;
- procedures to ensure that organizations securely store data and systems in an appropriate retention facility to mitigate damage caused by a data breach, ransomware attack, or other cybersecurity event;
- procedures to validate that data retention and destruction activities have been successful; and
- integration of data retention and destruction with other data management and protection activities.
Complete the data retention and destruction policy template
Use this data retention and destruction policy template to help you prepare.
First of all, start by capturing the above data; it will serve as a starting point. Next, consider the following preliminary activities:
- Review existing IT policies for structure and format. Use components relevant to the new one.
- Explore examples of other data retention and destruction policies and adapt them as needed.
- Look at software products that can help you prepare strategies.
Components of a data retention and destruction policy
A data retention policy can be simple. A few paragraphs may suffice, noting the metrics discussed previously. Organizations can include more details if needed. Here’s an overview of the policy organizations can format to address data retention and destruction issues:
- Introduction. State the basic reasons for having a data retention and destruction policy.
- Objective and scope. Provides details on the objective and scope of the policy.
- Declaration of conformity. Specifies the laws, regulations, standards and other directions that the policy aims to achieve.
- Policy statement. State the policy in clear and precise terms.
- Political leadership. Identifies who is responsible for approving and implementing the policy, as well as penalties for non-compliance.
- Verification of policy compliance. Delineates what is needed to verify that data restoration and destruction activities are verifiable and in compliance with policy and any other IT policies.
- Penalties for non-compliance. Defines the penalties for non-compliance with the policy.
- Appendices (if needed). Incorporate additional reference data, such as contact lists and service level agreements.
Refer to the Data Retention and Destruction Policy Template for additional guidance.
Once a draft data retention and destruction policy is complete, have it reviewed by IT management and legal departments, at a minimum. Invite other relevant departments to comment if time permits.
Disseminate the policy to the appropriate internal departments and external parties (if necessary). Launch operations and maintenance activities.