Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
A data-retention policy is an organization's policy or protocol regarding the saving of data for regulatory or compliance purposes, or the disposal of it when no longer needed. The policy highlights how data or records need to be formatted and what storage devices or system to use, as well as the how long these need to be kept, which is usually based on a regulatory body's rules.
Data-retention policies are all about what, where and how long data should be stored or archived. When the retention time of a specific set of data has expired, it either gets moved to a tertiary storage as historical data or gets deleted entirely to keep storage spaces clean.
Aside from keeping historical data for use, data-retention policies exist because of regulatory requirements. Regulatory organizations recognize that it is not financially possible to retain all data indefinitely, so organizations are urged to demonstrate that they only delete data that is not subject to any specific regulatory requirements. For example, a bank's employee records would have a different retention period than its account records.
It is common for organizations to draft their own retention policies; however they must also make sure to adhere to data retention laws where applicable, especially in heavily regulated industries. For example, companies that are publicly traded in the US must establish a Sarbanes-Oxley Act (SOX) data-retention policy in the same manner that health care organizations are subject to data-retention requirements of the Health Insurance and Portability and Accountability Act (HIPAA). Similarly, institutions that accept payments via credit card must adhere to the requirements of the Payment Card Industry Data Security Standard (PCI DSS).