A data retention and deletion policy has always been considered as good practice, especially in IT circles. The main reason historically was cost related as when a company grows and the amount of data being stored starts to accumulate, storage becomes expensive. This need is however now growing stronger and becoming a priority for businesses in general. More so with the introduction of General Data Protection Regulation (GDPR). GDPR states that personal data needs to be kept up to date and more importantly, cannot be kept for longer than necessary. As such, a solid data retention policy has become a must for compliance.
This post details in 10 steps on how to go about creating such a policy for your business/company. Each step requires considerable effort and the creation of this policy should be treated as a project, involving multiple stake holders.
As with all other policies, the data retention should be reviewed periodically, include the scope, review periods and auditing criteria or metrics. These items are standard for every policy and process and hence have not been included as part of the 10-steps detailed below.
Without further ado, find below the 10-step process for the creation of a data retention policy.
Step 1: Identify all the areas of the business
Pretty self-explanatory. Such areas may be Human resources, Finance, IT, Product Management, development etc…
Step 2: Identify all systems used across the business
Such as ticketing/incident management systems, Leave & performance management systems, email handling systems, authentication and Single Sign-On applications and if you’re a software house or build your own internal systems these would also need to be included.
Step 3: Determine the data profiles for each area & System
An example most people can relate to would be the HR system. A simple data profile would list the forms, documents and information HR keep per employee and a listing of all the information within each form. To be more specific, let’s say that during the recruitment process, the candidate is asked for a police conduct. One of the items in your data profile would be police conduct and under that you would have a list of all the information within a standard police conduct.
Step 4: Identify where each form or group of information is stored.
In our example,this is stored in physical form within an employee file, as well as, scanned and uploaded into the HR System.
PRO TIP # 1
Whilst carrying out the exercise for step 4, it would also be beneficial to determine the exact storage location as well as who has access to it. This will help with future security processes, risk identification & mitigation as well as with GDPR.
Step 5: Identify those items considered as sensitive data
This step is a pre-requisite for step 6 when the legal aspects need to be looked into. Sensitive data includes, personal data, financial as well as contractual data.
In the below diagram such information has been marked with an asterisk (*)
Step 6: Get legal
This step involves identifying those laws which require retaining data for a set period of years. For this step it would be best to consult with a lawyer. Most often, employee data retention would be specified within the employment law, financial data retention would be specified under various such as taxation & company law to name just a few.
An actual example under the Maltese employment law would be the following. The below documents are to be retained for a period of 3 years.
- Employee Personnel Records (after the person is no longer an employee)
- Employment Applications
- Expired Insurance Policies
- Savings Bond Registration Records of Employees
- Time Cards For Hourly Employees
PRO TIP #2
Make sure that you first get all the legal information available, even if the amount of time is not specified. E.g. GDPR states that personal data cannot be kept for longer than required. This implies that to keep any personal data you would need to have legitimate grounds.
Step 7: Review your data profile for legal requirements.
Now that you have your data profile and all the legal requirements, it’s time to review the data profiles and determine whether:
- The document/information in question is required to be kept by law for a specified amount of time.Should this be the case, then congratulations your minimum retention period has been identified.
- If the document contains personal or financial data check if the document is legally required to operate.
- If yes determine why, i.e. the document probably serves as an input to some other process. In this case the minimum retention period of the document needs to be matched to the retention period of the information/document that was produced based on the information in this document.
- If not determine if this document is really needed. In the case it’s not needed, a project to stop gathering this information needs to be initiated. If it is indeed needed, then determine the minimum amount of time, the business requires this document.
In the below example, there is no legal requirement to obtain a police conduct for employees to be hired, but the business wishes to keep this practice as it mitigates other risks. However, a police conduct here in Malta as per law has no validity period and the validity is to be determined by whomever is asking for it. The reasoning is that a crime could be committed the day after the police conduct has been issued and as such the police conduct expires on the same day.
In this case a discussion would be held with HR to determine the value of keeping the police conduct once a person has been hired. For the benefit of this example, I shall be assuming that it would be beneficial for the business to keep this until the employee has passed their probation period, which as a standard is usually 6 months.
Step 8: Retention method
The next step would be to determine the retention method. For example, do I need this data to be readily accessible or can it be placed in a secure archive and deleted once the overall retention period expires? This is mostly done for electronic data. Prime, high-availability storage is expensive and as such data that is kept for a just in case scenario is usually stored on secondary low-cost storage. Low-cost storage is still secure but not as readily accessible, nor as fast or performant.
Hence we shall be introducing 2 new parameters to be considered: Retention Period and Archival Period. It is to be noted that upon the expiry of the archival period, the data should be permanently deleted. This would mean that it can no longer be retrieved.
In our scenario, given the short retention period, it is not worth archiving and can be permanently deleted once the 6 months are up. The physical copy is not considered necessary and can be discarded at the end of the hiring process.
PRO TIP # 3
Make sure a shredding policy is available for the disposal of such sensitive hard copies
Step 9: Can the archival and deletion procedures be automated?
It’s all well and good to determine the retention, however when having a large number of systems, departments and documents, it may become cumbersome to maintain. As such discussions should be had with your IT department and the departments in question to check whether such a process can be automated. If it is possible to automate, the change request to this effect should be initiated.
Step 10: Consider affected processes.
Once the data retention policy has been concluded, you would need to determine if this has affected any other processes and procedures to see if they would need to be updated. In the example we’re using, the hiring process should be updated to reflect the shredding of the physical police conduct, as well as the probation/performance review process would need to be updated to reflect the deletion of the electronic copy as well.
That’s it, formalise all the information into a policy, include the other standard elements, communicate and implement. Should you have questions, related to specific scenarios that may perhaps not been covered within the example provided, feel free to leave your question in comment.
Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.