10 steps to creating a Data Retention policy

Delete data

A data retention and deletion policy has always been considered as good practice, especially in IT circles. The main reason historically was cost related as when a company grows and the amount of data being stored starts to accumulate, storage becomes expensive. This need is however now growing stronger and becoming a priority for businesses in general. More so with the introduction of General Data Protection Regulation (GDPR). GDPR states that personal data needs to be kept up to date and more importantly, cannot be kept for longer than necessary. As such, a solid data retention policy has become a must for compliance.

This post details in 10 steps on how to go about creating such a policy for your business/company. Each step requires considerable effort and the creation of this policy should be treated as a project, involving multiple stake holders.

As with all other policies, the data retention should be reviewed periodically, include the scope, review periods and auditing criteria or metrics. These items are standard for every policy and process and hence have not been included as part of the 10-steps detailed below.

Without further ado, find below the 10-step process for the creation of  a data retention policy.


Step 1: Identify all the areas of the business

Pretty self-explanatory. Such areas may be Human resources, Finance, IT, Product Management, development etc…

Step 2: Identify all systems used across the business

Such as ticketing/incident management systems, Leave & performance management systems, email handling systems, authentication and Single Sign-On applications and if you’re a software house or build your own internal systems these would also need to be included.

Step 3: Determine the data profiles for each area & System

An example most people can relate to would be the HR system. A simple data profile would list the forms, documents and information HR keep per employee and a listing of all the information within each form. To be more specific, let’s say that during the recruitment process, the candidate is asked for a police conduct. One of the items in your data profile would be police conduct and under that you would have a list of all the information within a standard police conduct.


Step 4: Identify where each form or group of information is stored.

In our example,this is stored in physical form within an employee file, as well as, scanned and uploaded into the HR System.


Data Retention Policy - Step 4



Whilst carrying out the exercise for step 4, it would also be beneficial to determine the exact storage location as well as who has access to it. This will help with future security processes, risk identification & mitigation as well as with GDPR.


Step 5: Identify those items considered as sensitive data

This step is a pre-requisite for step 6 when the legal aspects need to be looked into. Sensitive data includes, personal data, financial as well as contractual data.

In the below diagram such information has been marked with an asterisk (*)

Data Retention Policy - Step 5

Step 6: Get legal

This step involves identifying those laws which require retaining data for a set period of years. For this step it would be best to consult with a lawyer. Most often, employee data retention would be specified within the employment law, financial data retention would be specified under various such as taxation & company law to name just a few.

An actual example under the Maltese employment law would be the following. The below documents are to be retained for a period of 3 years.

  1. Employee Personnel Records (after the person is no longer an employee)
  2. Employment Applications
  3. Expired Insurance Policies
  4. Savings Bond Registration Records of Employees
  5. Time Cards For Hourly Employees



Make sure that you first get all the legal information available, even if the amount of time is not specified. E.g. GDPR states that personal data cannot be kept for longer than required. This implies that to keep any personal data you would need to have legitimate grounds.


Step 7: Review your data profile for legal requirements.

Now that you have your data profile and all the legal requirements, it’s time to review the data profiles and determine whether:

  1. The document/information in question is required to be kept by law for a specified amount of time.Should this be the case, then congratulations your minimum retention period has been identified.
  2. If the document contains personal or financial data check if the document is legally required to operate.
    1. If yes determine why, i.e. the document probably serves as an input to some other process. In this case the minimum retention period of the document needs to be matched to the retention period of the information/document that was produced based on the information in this document.
    2. If not determine if this document is really needed. In the case it’s not needed, a project to stop gathering this information needs to be initiated. If it is indeed needed, then determine the minimum amount of time, the business requires this document.

In the below example, there is no legal requirement to obtain a police conduct for employees to be hired, but the business wishes to keep this practice as it mitigates other risks. However, a police conduct here in Malta as per law has no validity period and the validity is to be determined by whomever is asking for it. The reasoning is that a crime could be committed the day after the police conduct has been issued and as such the police conduct expires on the same day.

In this case a discussion would be held with HR to determine the value of keeping the police conduct once a person has been hired. For the benefit of  this example, I shall be assuming that it would be beneficial for the business to keep this until the employee has passed their probation period, which as a standard is usually 6 months.


Data Retention Policy - Step 7


Step 8: Retention method

The next step would be to determine the retention method. For example, do I need this data to be readily accessible or can it be placed in a secure archive and deleted once the overall retention period expires? This is mostly done for electronic data. Prime, high-availability storage is expensive and as such data that is kept for a just in case scenario is usually stored on secondary low-cost storage. Low-cost storage is still secure but not as readily accessible, nor as fast or performant.

Hence we shall be introducing 2 new parameters to be considered: Retention Period and Archival Period. It is to be noted that upon the expiry of the archival period, the data should be permanently deleted. This would mean that it can no longer be retrieved.

In our scenario, given the short retention period, it is not worth archiving and can be permanently deleted once the 6 months are up. The physical copy is not considered necessary and can be discarded at the end of the hiring process.


Data Retention Policy - Step 8


Make sure a shredding policy is available for the disposal of such sensitive hard copies


Step 9: Can the archival and deletion procedures be automated?

It’s all well and good to determine the retention, however when having a large number of systems, departments and documents, it may become cumbersome to maintain. As such discussions should be had with your IT department and the departments in question to check whether such a process can be automated. If it is possible to automate, the change request to this effect should be initiated.


Step 10: Consider affected processes.

Once the data retention policy has been concluded, you would need to determine if this has affected any other processes and procedures to see if they would need to be updated. In the example we’re using, the hiring process should be updated to reflect the shredding of the physical police conduct, as well as the probation/performance review process would need to be updated to reflect the deletion of the electronic copy as well.



That’s it, formalise all the information into a policy, include the other standard elements, communicate and implement. Should you have questions, related to specific scenarios that may perhaps not been covered within the example provided, feel free to leave your question in comment.


Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.

13 responses to “10 steps to creating a Data Retention policy”

  1. Glad you found this useful.
    Should you have any topics regarding processes you’d like to see posts on please let me know.

  2. E ‘vero! Credo che questo sia un concetto molto diverso. Pienamente d’accordo con lei.

  3. Very nice post. I just stumbled upon your blog and wished to mention that I have truly enjoyed browsing your weblog posts. In any case I’ll be subscribing on your feed and I am hoping you write once more soon!

  4. This piece of writing is related to web programming is actually pleasant for me as I am web developer. Thanks for sharing keep it up.

  5. I read this article completely regarding the comparison of most up-to-date and earlier technologies,
    it’s awesome article.

  6. Simply want to say your article is as surprising.
    The clearness to your publish is simply spectacular and i could think you are an expert in this subject.
    Fine with your permission allow me to snatch your feed to stay up to date with coming near near post.
    Thank you 1,000,000 and please keep up the rewarding work.

  7. I do not know whether it’s just me or if perhaps everyone
    else experiencing problems with your website.
    It appears like some of the text within your posts are running off the screen. Can somebody else
    please comment and let me know if this is happening to
    them as well? This could be a problem with my web
    browser because I’ve had this happen previously.

  8. Undeniably believe that which you stated.
    Your favorite reason appeared to be on the net the simplest thing to be aware
    of. I say to you, I definitely get annoyed while people think about worries that they plainly do not know about.

    You managed to hit the nail upon the top and defined out the whole thing without having
    side-effects , people can take a signal. Will probably be back
    to get more. Thanks

  9. I am truly thankful to the holder of this web site who has shared this
    fantastic piece of writing at at this place.

  10. Hi Eleanor,

    I use wordpress and a ready made theme on top of it. There are many themes to choose from and I’m sure you’ll find one to suit your style.

  11. Hi there,

    Thanks for letting me know. The site works well on Edge which is the new version Internet Explorer. Given that IE is being deprecated and slowly being replaced by Edge, new technologies and formatting are expected to malfunction.