A Data Retention Policy is a set of rules that tells you how long to keep different types of information. It’s like having a tidy-up schedule for your digital files. The main idea is that you shouldn’t keep data forever. You should keep it as long as you need it for business reasons, legal reasons, or to follow specific rules, and then you should get rid of it securely.
Table of contents
- What is it?
- Applicability to Small Business, Tech Startups, and AI Companies
- ISO 27001 Data Retention Policy Template
- Why Do You Need It?
- When Do You Need It?
- Who Needs It?
- Where Do You Need It?
- How to Write It
- How to Implement It
- Examples of Using It
- How the ISO 27001 Toolkit Can Help
- Information Security Standards That Need It
- List of Relevant ISO 27001:2022 Controls
- ISO 27001 Data Retention Policy Example
- ISO 27001 Data Retention Policy FAQ
What is it?
An ISO 27001 data retention policy is a set of guidelines that tells you how to long to keep your company’s information. It is part of the larger ISO 27001:2022 standard, which is all about information security. The policy helps you keep data private and safe from harm.
Applicability to Small Business, Tech Startups, and AI Companies
This policy is super important for different types of businesses, but for slightly different reasons.
- Small Businesses: You might think you don’t need it, but you do! Even a small customer list needs to be managed properly. A policy helps you protect your customers’ trust and avoid fines.
- Tech Startups: You’re probably moving fast and handling a lot of user data. A policy helps you manage this growth without letting data pile up and become a security risk.
- AI Companies: You deal with massive amounts of data to train your models. A data retention policy is crucial for managing this data, ensuring you’re not keeping training data longer than you should and that you’re complying with privacy laws.
ISO 27001 Data Retention Policy Template
The ISO 27001:2022 Data Retention Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
You can find templates for an ISO 27001 data retention policy online. These templates give you a head start. You can then change them to fit your specific business needs. Using a template can save you time and help you make sure you don’t miss anything important.
Why Do You Need It?
You need a data retention policy for several important reasons. Firstly, it helps you reduce your risk. The more data you have, the bigger the target you are for cyberattacks. It’s like having fewer valuables in your house, so there’s less for a burglar to steal. Secondly, it helps you save money. Storing data costs money, and having less of it means lower costs. Lastly, it helps you stay compliant with laws like GDPR. Having a policy shows that you’re serious about protecting personal data and following the rules.
When Do You Need It?
You need a data retention policy as soon as you start handling any kind of data, especially if it’s personal information about people. If you’re a new business, you might think you can put this off, but it’s much easier to set up a policy from the beginning than to clean up a mess later. It’s a key part of getting your ISO 27001 certification.
Who Needs It?
Everyone who handles data needs this policy! This includes all types of organisations, from a small bakery to a huge tech company. However, it’s particularly important for businesses that handle a lot of sensitive information, such as financial details, health records, or personal data.
Where Do You Need It?
This policy applies to all the places where you store information. This means your computers, servers, cloud storage (like Google Drive or Dropbox), and even physical documents in a filing cabinet. The policy should cover all your data, no matter where it lives.
How to Write It
Start by looking at what kind of data you have and how you store it. Then write down how long you need to keep it. Decide how you’ll securely delete or destroy data when the time is up. This could be by shredding paper or securely wiping a hard drive.
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Data Retention Policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Data Retention Policy contents page
1 Document Version Control
2 Document Contents Page
3 Data Retention Policy
3.1 Purpose
3.2 Scope
3.3 Principle
3.4 Agreement of Retention Periods
3.5 Record of Retention Periods
3.6 Expiry of Retention Period
3.7 Suspension of Record Disposal in the event of litigation or claims
4 Policy Compliance
4.1 Compliance Measurement
4.2 Exceptions
4.3 Non-Compliance
4.4 Continual Improvement - Write the ISO 27001 Data Retention Policy purpose
The purpose of this policy is to ensure that necessary records, documents, and information of the company containing personal data are retained for no longer than necessary for the purposes for which personal data are processed.
- Write the ISO 27001 Data Retention Policy principle
The GDPR principle of Data Storage Limitation for personal data.
- Write the ISO 27001 Data Retention Policy scope
All employees and third-party users.
Personal Data as defined by GDPR. - Define the approach to agreeing retention periods
The relevant owners of the documentation as detailed in the asset register are responsible for agreeing the data retention periods in line with legal, regulatory, and business requirements.
Data retention periods are approved by legal counsel. - Explain the record of retention periods
Retention periods are recorded in the Data Asset Register. Additional detail is contained where applicable and appropriate in the Record of Processing Activities and the Asset Register.
- Set out what happens at the expiry of retention periods
When the retention target is reached, the information will be reviewed by relevant owners of the documentation as detailed in the asset register to confirm that the information is to be further retained or destroyed. It will be destroyed in line with the Information Classification and Handling Policy if there is no further business, statutory or historical reason to keep them or to select them for re review at a later date; either because the business need is ongoing or because of potential historical value.
- Explain the suspension of record disposal in the event of litigation or claims
In the event any employee of the company reasonably anticipates or becomes aware of a governmental investigation or audit concerning the company or the commencement of any litigation against or concerning the company, such employee shall inform Directors and Board of Directors and any further disposal of documents shall be suspended until such time as the Board of Directors, with the advice of the Executive Director and the company legal counsel, determines otherwise. The Directors shall take such steps as are necessary to promptly inform affected staff of any suspension in the disposal or destruction of documents.
How to Implement It
Putting the policy into action is key.
- Tell everyone about it: Make sure all your employees know the rules.
- Train your team: Teach them how to follow the policy.
- Automate when you can: Use tools that automatically delete old data to make it easier.
- Check in regularly: Review your policy every year to make sure it’s still working and up to date.
Examples of Using It
- For a small business: A local flower shop collects customer names and phone numbers for delivery. The policy says to delete this information 30 days after the delivery is complete, unless the customer signs up for a newsletter.
- For a tech startup: A new social media app collects user profiles and messages. The policy states that user profiles are kept as long as the account is active, but messages are deleted after one year.
- For an AI company: An AI company uses photos to train a facial recognition model. The policy requires that all photos are deleted from the training servers three months after the model is trained and deployed.
How the ISO 27001 Toolkit Can Help
An ISO 27001 toolkit is a collection of pre-written documents and guides that make it much easier to get certified. It will almost certainly include a professionally written data retention policy template that you can just fill in with your specific details. It saves you a ton of time and ensures you don’t miss anything important.
Information Security Standards That Need It
This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
List of Relevant ISO 27001:2022 Controls
The ISO/IEC 27001:2022 standard has many controls, which are like specific rules. Here are a few that are important for data protection:
- ISO 27001:2022 Annex A 5.34 Privacy and protection of PII
- ISO 27001:2022 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements
- ISO 27001:2022 Annex A 8.10 Information Deletion
- ISO 27001:2022 Annex A 8.11 Data Masking
- ISO 27001:2022 Annex A 8.12 Data Leakage Prevention
ISO 27001 Data Retention Policy Example
An example ISO 27001:2022 Data Retention Policy:
ISO 27001 Data Retention Policy FAQ
Data retention is about how long you keep active data. Data backup is about saving copies in case something goes wrong.
No, you shouldn’t. Keeping data longer than you need it is a security risk and can violate privacy laws.
You could face fines, lose customer trust, and be more vulnerable to cyberattacks.
You should review it at least once a year.
No, it also applies to physical paper documents.
Yes, it requires you to have a clear reason and timeframe for keeping personal data.
Your policy should have a process for this, as it’s a right under many privacy laws.
It’s a good idea to have a lawyer look it over, but you can write a good draft yourself.
The first step is to make a list of all the data you have.
You’ll need to research the laws that apply to your business and location.
It’s a record you keep of all the data you have securely deleted.
If you have a policy and can show you were in the process of deleting it, it can help you in a legal situation.
It means using special methods to make sure the data can’t be recovered, like using a data wiping tool.
Yes, it’s a key requirement.
The biggest mistake is not having a policy at all, or having one and not following it.