Archive Data Protection

    Why You Need a Data Retention Policy

    A data retention policy is key to keeping your data accessible, compliant, and secure. Discover best practices and how to create the right policy for your organization.

    by Daniel Argintaru

    Key Points

    • A data retention policy defines why and how you store data, for how long, and then how you dispose of it.
    • Data retention policies play a pivotal role in data management, enabling regulatory compliance, legal defenses, and disaster recovery.
    • They can also help keep mission-critical data at employees’ fingertips.


    Organizations’ email systems hold a treasure trove of data, with ever-increasing volumes of messages and attachments containing information about customers, employees, transactions, marketing plans, intellectual property, and IT systems. The challenge is to manage all this data — whether to extract its business value, comply with heightening regulation, ensure disaster recovery, or support legal cases. 

    Enter data retention policies. Knowing how, why, and for how long to keep data before deleting it is crucial to protecting an organization’s interests. With data protection laws around the world imposing large fines on companies that fail to respect strict data retention regulations, the compliance burden is not to be ignored. Added to that is the growing use of data as evidence in workplace lawsuits and other litigation.

    On the operations side, a well-defined policy can also help you to better organize your data, maintain accurate records, conduct a range of analyses and work more efficiently. A retention policy can also serve as part of the framework to manage your backups and archiving, aiding in disaster recovery following a cyberattack or other calamity.

    Let’s examine data retention, its benefits, best practices, and supporting technologies such as Mimecast’s cloud archiving solutions.

    What Is Data Retention?

    Data retention refers to the storing and use of data for a set time period, also known as a data retention period. These data retention periods differ for every organization based on the type of data they store, the legislation governing their operations, and their business goals. The aim is to set a retention period that allows you to extract as much value as possible from your data while keeping up with regulation and the latest security threats.

    What Is a Data Retention Policy? 

    A data retention policy ensures that organizations take a consistent approach to storing and disposing of their data. It should specify how long you keep different types of data, their format, where they’re stored, and how long they are stored. Remember that efficient, compliant data disposal is also essential to control costs. 

    The policy should define who in your organization can dispose of data once its retention period expires. Whether the next step is deletion or archiving, make sure you choose trustworthy employees who understand your data retention policy inside and out. 

    The Importance of a Data Retention Policy

    New laws governing consumer and employee data privacy emerge each day, with regulators exercising their mandate to crack down on irresponsible practices. Other government and industry rules apply to data such as accounting records or credit information. Many include provisions specific to the management and disposal of business data, and failure to comply can have serious financial and reputational consequences. 

    Take the California Consumer Privacy Act (CCPA), which regulates any company that does business with California consumers regardless of where it is based. Each violation can cost up to $7,500 if deemed intentional, which means that an organization that violates the terms of CCPA for just 1,000 customers could be fined as much as $7.5 million.[1] The more recent California Privacy Rights Act (CPRA) will impose even stricter requirements as of January 2023, including the obligation to inform consumers how long their personal information will be retained.[2]

    Other noteworthy data retention regulations to keep in mind include the privacy provisions in Europe’s General Data Protection Regulation (GDPR) and the coverage of accounting and business records in the U.S. Sarbanes-Oxley Act (SOX), which applies to all public companies. As for industry-specific regulation: Healthcare organizations must adhere to the Health Insurance Portability and Accountability Act (HIPAA); financial firms must respect the Gramm-Leach-Bliley Act (GLBA); and any company that accepts credit card payments must comply with the Payment Card Industry Data Security Standard (PCI-DSS).

    4 Benefits of a Data Retention Policy

    In addition to compliance, a data retention policy can help your business improve the way it manages information and responds to security threats. Here are just a few benefits: 

    1. Cleaner, more accessible data: Data retention policies include provisions for the regular disposal of outdated or duplicated records. Cleaner data is easier to search and creates less confusion for employees.
    2. Cost reduction: Done right, setting policies for data retention and disposal can reduce storage costs.
    3. Consolidated document storage: The shift to digital business models has left many companies at a crossroads between paper and digital document storage. Your data retention policy will account for this duality so you can effectively manage data in all its forms. 
    4. Improved disaster recovery: In a world of relentless security threats, especially those targeting email, an outage or disaster can come at any time. Include provisions for backup and recovery in your data retention policy to protect mission-critical information and bounce back quickly.

    Data Retention Best Practices

    Your organization’s data retention practices will be based on its goals, the types of data you store. and the industry you serve. However, some principles transcend these factors and apply to nearly every organization:

    • Be mindful of different data types: Different data types serve different purposes and should be stored for different amounts of time. For instance, a customer’s shipping address has a longer shelf life for an appliance retailer than their online browsing history after they’ve already bought a new fridge.
    • Involve all relevant parties: Most business data is used by multiple teams. To serve everyone’s interests, make sure at least one representative from each team feeds into your data retention policy from the outset.
    • Monitor the regulatory landscape: Take time to understand every piece of regulation that applies to your business, making sure you meet all conditions for data retention. Global companies should be mindful of data laws in international markets, as these can vary greatly, and some have cross-border implications. The GDPR, for instance, applies to European citizens anywhere in the world.
    • Be clear and concise: Data management is complex, but the language used to define your retention policy shouldn’t be. Clear, simple, and accessible language leaves little room for confusion and ensures every employee understands their role.
    • Don’t forget backups: Backups reduce your risk of loss in the event of a cyberattack or system outage, so don’t forget to cover both backups and backup frequency in your data retention policy. A popular solution is to invest in cloud archiving.

    How to Create a Data Retention Policy

    With these principles in mind, it’s time to develop your data retention policy. 

    1. First, build a team representing every department affected by your data retention practices.
    2. Next, sort your data based on your priorities. For instance, email records will be a top concern for companies managing enormous communications volumes and a dispersed workforce. 
    3. Similarly, establish which regulations govern your organization and sort your data according to these rules. You’ll also need to address regulatory nuances in different markets. 
    4. Develop your data retention policy based on the above factors. Be sure to specify how long different types of data will be kept and whether the information will be archived or deleted at the end of its retention period. 
    5. Choose trusted employees as your data retention stewards, with the authority to manage and dispose of your data. 
    6. Finally, develop a plan to enforce your data retention policy and make sure employees understand their role in keeping your data compliant and secure. 
    7. One additional note — your data retention policy will evolve over time in line with changing regulation and market shifts, so consider it a living document.

    Simplify Data Retention with Cloud Archiving

    With so much email, media, and other forms of data passing through their organization each day, many organizations opt for a cloud archiving solution to simplify their data management, stay on top of compliance, and follow data retention best practices. In many cases, cloud archiving is also less expensive than on-premises solutions.

    The Bottom Line

    A data retention policy is more than a housekeeping tool. It is central to ensuring your data, employee communications, and storage processes are accessible, compliant. and secure. Learn more about how data retention best practices combined with a cloud archiving solution like Mimecast Cloud Archive can improve your organizations’ data management and storage.



    [1]The California Consumer Privacy Act: Frequently Asked Questions,” BakerHostetler

    [2]California’s New Privacy Law, the CPRA, Was Approved: Now What?”, JD Supra


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top