Data Retention Policy

A Data Retention Policy defines a business's established protocol for storing data and how it disposes of this data when it's no longer needed.

There are many compelling reasons a business or organization could benefit from a Data Retention Policy such as to comply with national or international privacy laws, to keep accurate financial records, to reduce data storage costs, or to adhere to industry regulations.

In this article, we'll take a closer look at what a Data Retention Policy is, who is legally required to have one, and the components that every Data Retention Policy should include.

What is a Data Retention Policy?

A Data Retention Policy is a set of guidelines that detail exactly how a business manages and stores the data it collects.

A Data Retention Policy will include information about:

• What data is stored
• Where data is stored
• How long data is stored
• What happens to data that is no longer needed

Businesses, organizations, and governments must all adhere to a variety of laws, policies, and regulations that govern how data must be stored and for how long.

These often include a data retention period. This refers to how long a business will hold on to the data it collects. While best practice dictates that you only hold on to data for as long as it is necessary for your business, you must also adhere to relevant data laws when considering this time frame.

The Benefits of Having a Data Retention Policy

Although the primary benefit of a Data Retention Policy is to ensure compliance with legal statutes and industry regulations, there are many operational benefits as well.

Below are some of the reasons why you should consider a Data Retention Policy for your business:

• Ensuring compliance with legal and regulatory requirements
• Reducing the likelihood of compliance-related fines
• Reduced storage costs as you can delete data that is no longer needed
• Ensuring that data is readily available for discovery and litigation support
• Limiting the amount of data you hold on to can protect your organization from the impact of data breaches

Do I Legally Need a Data Retention Policy?

The primary reason to have a Data Retention Policy is to avoid the risk of running afoul of local, federal, or international data privacy laws or industry regulations.

Failure to comply with these laws puts your business at risk for civil, criminal, or financial penalties.

Two pertinent data retention laws apply to most online businesses.

California's Online Privacy Protection Act (CalOPPA)

CalOPPA is a California law enacted in 2003 that requires operators of commercial websites and online services to display a Privacy Policy.

It applies to any website or mobile app that collects, "personally identifiable information through the Internet about individual consumers residing in California."

So even if your company is not based in California or the United States, if your website or mobile app attracts visitors from California, then CalOPPA likely applies to you.

CalOPPA has several requirements that businesses must abide by to be compliant. The most important requirement is that you have a Privacy Policy on your website or mobile app.

In order for the presentation of your Privacy Policy to be compliant, it must:

• Be clearly visible and readily accessible
• Contain the word 'privacy' in the display link

There are also several requirements for what your Privacy Policy must contain. Although CalOPPA refers to creating a 'Privacy Policy,' this policy shares several of the same elements as a Data Retention Policy. These include:

• The types of data collected
• How this data is used
• If this data is shared with third parties and how it is shared

CalOPAA mandates other additional requirements for your Privacy Policy, including:

• Whether you respond to "Do Not Track" (DNT) requests. This is simply a setting that users can activate to limit or prevent the collection of their personal data
• The effective date of the Privacy Policy
• A clear explanation of how users can request changes to their personal data that you have stored
• A clause stating you may update your Privacy Policy in the future

General Data Protection Regulation (GDPR)

The European Union's GDPR is one of the toughest data privacy laws in the world. The GDPR requires any company that collects and processes the personal data of EU citizens to adhere to certain data retention requirements.

If the GDPR applies to your business, then you need to create a Data Retention Policy. When creating this policy, be sure to include:

• The type of data collected and for what purpose
• The length of time you hold on to data
• How you delete or destroy data you no longer need

Under the GDPR, a business is only allowed to process data if they have a legal basis for doing so. Article 6 of the GDPR sets out the 6 potential legal or "lawful" bases for processing data, including:

• Consent
• Contract
• Legal obligation
• Contract
• Vital interests
• Public task
• Legitimate Interests

In the following example, you can see how the Bank of England explains the data it collects for regulatory purposes:

Unlike other international privacy laws, the GDPR does not stipulate exactly how long data can or must be kept. According to the GDPR, personal data may only be kept for as long as a business deems it reasonably necessary.

If the data collected allows for the identification of the user - as opposed to anonymous data - then your Data Retention Policy must clearly state why you are collecting the data and for how long it is retained.

In this small sample of Zemanta's larger Cookie Table, you can see how it states the purpose of collecting data and the time period for which the data is retained:

Other Data Retention Privacy Laws

While CalOPPA and the GDPR are two of the most common privacy laws that businesses must comply with, there are many others.

Here are a few other laws and regulations that have particular data retention policy requirements:

• The UK General Data Protection Regulation (UK GDPR) - The UK GDPR is the United Kingdom's privacy law that governs the processing of the personal data of UK citizens. Under Article 5(e), personal data that allows for the identification of an individual should only be kept for the necessary amount of time.
• The Health Insurance Portability and Accountability Act (HIPAA) - the HIPAA is a federal US law that establishes guidelines for the use and disclosure of personal health information. The HIPAA mandates that personal health data must be kept for a minimum of 6 years after its creation or after it ceased to be effective.
• Payment Card Industry Data Security Standard (PCI-DSS) - any company or organization that accepts credit cards is subject to the PCI-DSS. The PCI-DSS mandates the procedures companies must follow when retaining or destroying credit card data.

What Information Should a Data Retention Policy Include?

The exact details that should be included in your Data Retention Policy will be governed by the type of business you have and the laws and regulations that apply to it.

These are some of the common topics that any Data Retention Policy should address.

Business Name and Company Details

Your Data Retention Policy should start by stating your official company name and contact details.

Here is how Whole Foods included its company name and address in its Privacy Notice:

The Purpose and Scope of the Policy

Most standard Data Retention Policies will start by clearly defining the purpose and scope of the policy.

Here is how New York University defined the purpose of its Retention and Destruction of Records Policy:

How the Data is Used

This section should describe to the user how and why you collect their data. Most data protection laws require that you only collect the data you need and explain why you need it.

For instance, a company might collect a client's name and shipping information to send them a product they purchased. This is considered essential data and it is being gathered for a specific purpose. This is very different from a website that collects a client's data to sell it to a third party.

This is an example of how Amazon addresses the purpose for collecting customer data in its Privacy Notice:

The Categories of Data Retained

In this section, it is important to let your users know exactly what kind of data your company collects.

You may want to audit your website or app to ensure that you know exactly what, how, and when you collect data so that you can be as transparent as possible.

Here are some common categories of personal data that is collected:

• Personal information such as names, addresses, telephone numbers, and email addresses
• Usage and analytics data. This includes any of the data your business collects to understand how users access and utilize your website like their IP address or operating system.
• When applicable, you should disclose if your website uses cookies to enhance your user experience.

In its Privacy Policy, Walmart does a good job of clearly identifying the categories of data it retains:

How Stored Data is Protected

In this section, explain the steps taken to protect stored data from potential security breaches.

In the following example, Mastercard defines the safety protocols it takes to safeguard sensitive data:

How Long the Data is Stored

Your Data Retention Policy needs to clearly outline the retention period for data or the criteria by which the retention period is established. This simply means how long your business holds on to data after receiving it and how they establish these timelines.

Depending on the applicable laws, a statutory minimum period for data retention might apply. In these cases, you must note the relevant law in the policy itself. It is also important to include the date from which the data retention begins.

In this example, you can see how CalSAWS has included a section for the applicable California regulations that govern the data retention of social services cases. It also outlines the date from which the data retention begins:

Changes to the Data Retention Policy

It is important to add a section letting the user know that you may update or change your Data Retention Policy from time to time. You must also let the user know how you will notify them of any changes to your Data Retention Policy.

Where to Display a Data Retention Policy

You should always display a link to your Data Retention Policy somewhere that is easy to find and accessible. Your Data Retention Policy should be made available to users before they share their data.

The common best practice is to include a link to your Data Retention Policy in your website's footer.

However, your Data Retention Policy does not need to be a standalone document. You can fine-tune your existing Privacy Policy to include the necessary information as long as you ensure it makes your business's protocols for collecting and storing data transparent.

Here is an example of how NordVPN provides a link to its Privacy Policy in the website's footer, to show how you could also link your Data Retention Policy in the same way:

Summary

In conclusion, a Data Retention Policy outlines a business's procedures for collecting, storing, and disposing of personal data.

There are many laws around the world that require businesses to have a Data Retention Policy in place. Failure to adhere to these data privacy laws can lead to hefty financial, civil, and even criminal penalties.

When creating a Data Retention Policy for your business, be sure to:

• Define the purpose and scope of the policy
• Include your official business name and company details
• Explain how you collect data and for what purposes
• Explain how you destroy data that is no longer necessary
• Include the data retention period

Make sure you display a link to your Data Retention Policy in a clearly visible and easily accessible place like your website's footer.