As part of an overall data management program, IT organizations should establish policies and procedures for data retention and destruction.
Organizations may need certain kinds of archival data -- such as customer records and legal documents -- to support future demands for evidence in litigation or auditing activities. Retention of data, systems, databases, security parameters and other information resources is an essential part of data management and data protection. This process differs from normal data backups that organizations may use more frequently in daily business operations.
Data destruction activities ensure that organizations properly dispose of data, media and hardware they no longer need for daily company operations.
What to include in a data retention and destruction policy
Data retention and destruction requires several key activities, and those procedures should:
- be developed by a team that can address operational, legal, competitive and other issues associated with data retention and destruction;
- have input from internal departments for their retention and destruction requirements;
- be regularly scheduled;
- specify what should be retained and destroyed;
- define procedures and resources for retention and destruction;
- identify retention location;
- identify the frequency of retention and destruction activities;
- identify the duration of retained data and systems; and
- define a means of validating that retention and destruction activities were successful.
IT organizations should consider the following issues when developing data retention and destruction policies:
- procedures for data retention and destruction;
- technologies for data retention and destruction;
- types of data and systems to retain and the associated metrics;
- circumstances under which organizations can destroy data media and systems;
- network infrastructure requirements to ensure organizations can complete retention activities;
- professional staff, both internal and external, charged with executing retention and destruction activities;
- emergency procedures if data retention and destruction activities are compromised;
- procedures for ensuring that organizations securely store data and systems in an appropriate retention facility to mitigate damage from a data breach, ransomware attack or other cybersecurity event;
- procedures to validate that data retention and destruction activities were successful; and
- integration of data retention and destruction with other data management and data protection activities.
Complete the data retention and destruction policy template
Use this data retention and destruction policy template to help you prepare.
First, begin by capturing the above data; it will serve as the starting point. Next, consider the following preliminary activities:
- Examine existing IT policies for structure and format. Use relevant components for the new one.
- Explore examples of other data retention and destruction policies and adapt them as appropriate.
- Examine software products that can assist in preparing policies.
Components of a data retention and destruction policy
A data retention policy can be simple. A few paragraphs can be sufficient, noting the metrics discussed previously. Organizations can include more detail if necessary. The following is a policy outline that organizations can format to address data retention and destruction issues:
- Introduction. States the fundamental reasons for having a data retention and destruction policy.
- Purpose and scope. Provides details on the policy's purpose and scope.
- Statement of compliance. Specifies laws, regulations, standards and other guidance the policy aims to achieve.
- Statement of policy. States the policy in clear, specific terms.
- Policy leadership. Identifies who is responsible for approving and implementing the policy, as well as issuing penalties for noncompliance.
- Verification of policy compliance. Delineates what is needed to verify that data restoration and destruction activities are verifiable and compliant with the policy and any other IT policies.
- Penalties for noncompliance. Defines penalties for failure to comply with policy.
- Appendixes (as needed). Incorporate added reference data, such as lists of contacts and service-level agreements.
Refer to the data retention and destruction policy template for additional guidance.
Upon completion of a draft data retention and destruction policy, have it reviewed by IT department management and legal departments, at a minimum. Invite other relevant departments to comment if time permits.
Circulate the policy to appropriate internal departments and external parties (if needed). Launch operational and maintenance activities.