Data Retention and Archiving Policy Template| Data Governance

Data retention and archiving policies set a timeline to store the data that operational, legal, fiscal or historical versions claim to maintain. This policy describes when data becomes inactive and is ready to be moved to a secondary storage location, such as off-site storage to be forgotten. Data retention and archiving also provides process descriptions for compliance and for data disposition methods, timelines, and techniques. The Data Retention and Archiving Policy is established so that data is not retained longer than mandated while balancing business expectation and regulatory obligations.

Data Retention and Archiving Principles

The archiving and data retention policies depend on the data record's form and its respective class according to the archiving policy in place. 

The organization has to secure and store data for the desired duration accounting for all operational, legal, regulatory, and fiscal requirements including those of other relevant authorities having jurisdiction. 

With regard to data, organization classifies it based on the ISO27001/2022 framework as described in the Data Classification Policy. In line with this framework, the principles pertaining to retention, archiving and disposal of data will be applied alongside the levels of classification as well as taking into account the regulatory requirements.

Public Data (Low Sensitivity

Public data is information that is freely accessible and does not contain sensitive information. These include content on the website, marketing products, published reports and metadata such as file size, type, and source. 

Retention: First 1-2 years, data is kept as long as it is useful. 

Archiving: Later on, out of date reports may be archived for reference purposes. 

Disposal: Finally, deletes after its usefulness is no longer needed or replaces it with updated versions.

Internal Data (Medium Sensitivity) 

Internal data, while not highly sensitive, must be kept strictly within the organization as it contains information like internal policies and procedures, business emails, meeting notes, and operational data.

• Archiving: Internal records including older versions of policies and procedures are sometimes stored securely for reference until the time they become obsolete.
  
  
• Retention: Internal data for the majority is archived for anywhere between 1 and 5 years depending on the reason it was created.
  
  
• Disposal: When the retention period is done, it is mandatory to delete or shred the data securely.

Confidential Data (Extreme Sensitivity)

Confidential Data is information that, if exposed, would harm an individual or organization. This information can only be accessed by persons approved to do so, and must be protected. This includes private customer or employee data such as addresses and dates of birth, credit card and financial records, payroll documents, taxes, medical data, and other information relating to human resources.

• Retention: Data is kept only as long as legally, such as 7 years for financial records, 5-7 years for HR data.
  
  
• Archiving: Must be stored in secure systems with strong encryption where only authorized personnel have access.
  
  
• Disposal: Should not be retrievable by any means and should be securely erased or physically destroyed.

Restricted Data (Critical Sensitivity)

Restricted Data is information that, if disclosed, may have devastating legal, security, or financial ramifications. This type of information is usually accessed under strict supervision. Examples are trade secrets and other types of intellectual property, research and development data, information related to national security, information systems such as configurations of the networks etc.

• Retention: Either kept indefinitely or for the duration it is considered critical for business operations.
  
  
• Archiving: Stored in highly secure encrypted systems protected by multi-factor authentication.
  
  
• Disposal: Must be destroyed through certified data destruction processes when no longer needed.

The Core Components of Data Retention Policy

Legal and Regulatory Compliance

Organizations need to match their data storage times to official national requirements. Under GDPR the EU demands organizations erase personal data once its original reason no longer applies. Medical professionals under HIPAA must keep patient medical records for six years following treatment completion. Companies that break GDPR rules can face substantial fines worth either 4% of total worldwide income or up to €20 million as punishment.

Key steps include:

1. Organizations must check which laws apply to their specific data areas including SOX for bank information and FERPA for school records.

2. The management system needs documents that prove one follows retention policies. The People Management Division of Malta maintains digital records to make it easier to check compliance.

Retention Schedules

Each type of data requires a particular amount of time to stay in the system according to the retention schedule. The London School of Economics maintains a policy that requires destructive deletion of financial data after seven years but allows extension when business demands require it. Factors influencing schedules include:

• The project team keeps all project data until audit completion needs are met.
  
  
• When legal cases happen the regular data deletion must stop.

Designing an Archiving Strategy

• Storage Tiering and Cost Optimization

Archiving lower-cost options make data storage cheaper by moving it to tape drives or cloud cold storage. The organization marks its data as sensitive or public to determine which information needs encryption protection first. Archived data access rights restrict the files to compliance officers who need them.

• Technical Implementation

Legacy systems like SAP pose unique challenges due to complex data structures. The SAP ERP platform requires special data archiving configurations to maintain system performance effectiveness. Solutions include:

A division system stores transactions and master data separately to enhance finding speed.

The system lets users find archived data from previous decades regardless of technical format and structure.