Data Retention Policy Template

  • ISO 27001:2022 Edition

The Data Retention Policy AND Data Retention Schedule saves time to give you a best practice data retention policy with data retention schedule that meets the requirements of ISO 27001, GDPR and international Data Protection Law.

Save over 8 hours of work with the pre written, pre-populated Data Retention Policy. Get up and running with instant access to the digital download and follow the simple step by step implementation guide and video to deploy in less than 15 minutes.

View Sample


Guaranteed Safe Checkout

    Data Retention Policy Template Ready to Go

    Our Data Retention Policy Template is designed to help you comply with your local data protection requirements. It comes a data asset register pre-populated with the most common data types and records that will save you significant time and provide significant guidance. The policy can be easily adapted to meet any specific needs or requirements of your organization. It’s easy, fast, and efficient!

    Data protection is a critical part of any business. It’s the only way to ensure that your customers and employees feel safe and secure when they use your services or products. But it can be difficult to know where to start with data retention policies, especially if you don’t have much experience in this area. That’s why we created our new data retention policy template!

    Easy to adapt to local data protection requirements. An absolute must have for an ISO 27001 implementation or GDPR / Data Protection implementation.  It is a comprehensive, and easy to configure, Microsoft Word and Microsoft Excel Template.

    Stuart Barker Avatar High Table

    Data Retention Policy Example

    ISO27001 Data Retention Policy Example 1
    ISO27001 Data Retention Policy Example 2
    ISO27001 Data Retention Policy Example 3
    ISO27001 Data Retention Policy Example 5
    ISO27001 Data Retention Policy Example 6
    ISO27001 Data Retention Policy Example 7

    Data Asset Registration with Data Retention Schedule

    ISO27001 Data Asset Register Example 3
    ISO27001 Data Asset Register Example 2
    ISO27001 Data Asset Register Example 5
    ISO27001 Data Asset Register Example 4

    Data Retention Policy Template Contents

    A simple and straight forward data retention policy that also comes with a data asset register. The data asset register has a tab for retention records with best practice data and record types pre populated. It comes with a handy and easy to follow guide on how to implement and deploy policies and it includes:

    • Document Version Control
    • Document Contents
    • Purpose
    • Scope
    • Data Retention Policy
    • Principle
    • Agreement of Retention Periods
    • Record of Retention Periods
    • Expiry of Retention Period
    • Suspension of Record Disposal in the event of litigation or claims
    • Data Retention Schedule
    • Card Holder Data Retention
    • Human Resources
    • Finance
    • Health and Safety
    • Communication Tools for General Communications
    • Information Security and Data Protection
    • Customer Data
    • Policy Compliance
    • Compliance Measurement
    • Exceptions
    • Non-Compliance
    • Continual Improvement

    The policy has appropriate ISO 27001 required document mark up for classification, version control, document owner and last reviewed.

    How to create and implement a Data Retention Policy

    Time needed: 4 hours and 30 minutes.

    How do you write a data retention policy?

    1. Use the Data Retention Policy Template

      The data retention policy template is already prewritten with best practice and what good looks like:

    2. Identify your data stores

      Through techniques such as workshops, interviews, brainstorming, reviewing technical architecture documents you compile a list of all of your data stores. This includes manual data stores such as filing cabinets, pedestals, archive rooms as well as technical data stores such as systems, platforms, databased and file managers.

    3. Map your data flows

      Through techniques such as workshops, interviews, brainstorming, reviewing technical architecture documents map the business processes and the flow of data through those processes.

    4. Allocate and information owner to each data type

      Data should be allocated an information owner. This can be a named person or a role but the allocation to teams should be avoided. You want responsibility and accountability. Allocate and record the data owner.

    5. Create a data asset register

      The data asset register contains basic asset information for data and the use of a record of processing activity (ROPA) should be considered.

    6. Information Owner decides the retention period

      The owner of the information sets the data retention periods. Work though each data type and allocate a retention period.

    7. Review and Sign Off the Retention Schedule

      The retention schedule for each data type requires review and sign off. As a minimum the data owner, legal counsel and senior management should review and sign off the data retention schedule.

    8. Communicate the Data Retention Policy and the Retention Schedule

      Once approved the data retention policy and data retention schedule should be shared with everyone in the company so that people are aware of what is expected of them. Communication is the first step to enforcement. We must educate people on what is required and what is expected.

    9. Audit the Data Retention Policy and Practices regularly

      You will audit the policy and processes at regular intervals. How often is based on business need and business risk but it will be done at least once annually. The audit seeks to verify that the processes are working and still valid. If the audit finds that they are not then you should follow your internal continual improvement process.

    Data Retention Policy FAQ

    What version of the standards does this Data Retention Policy Template support?

    The Data Retention Policy Template fully supports Data Protection Laws including GDPR, Data Protection Act 2018 and Information Security standards such as ISO/IEC 27001:2013 and ISO/IEC 27002:2013 and ISO/IEC 27002:2022, PCI DSS and SOC 2

    What format is the Data Retention Policy Template in?

    The Data Retention Policy Template is in Microsoft Word format.

    How quickly will I get the Data Retention Policy Template? What is the turnaround?

    You get the Data Retention Policy Template immediately on successful payment.

    Will the Data Retention Policy Template work in America / Australia / Europe / UK …. other?

    Yes. The Data Retention Policy Template supports best practice for Data Protection and the International Standard for Information Security. It is being used successfully right now across the globe.

    How long will it take me to implement the Data Retention Policy Template?

    We estimate that on average about 1 hour.

    Is High Table ISO 27001 certified?

    Yes. We are UKAS ISO 27001 certified. Our certificate is on the website. We are also Cyber Essentials certified.

    How secure are the payments? Do you handle my card details?

    Payments are handled entirely through Stripe. They are very secure. We do not handle, touch or get access to the payment transaction or your data.

    What is the Data Retention?

    Data Retention is keeping records for set periods of time to comply with business needs, industry guidelines, and regulations. There are any number of reasons why a business might need to retain data. Examples of data retention include: to maintain accurate financial records, to abide by local, state and federal laws, to comply with industry regulations, to ensure that information is easily accessible for eDiscovery and litigation purposes. Without a data retention policy and organisations risks breaking the law, not meeting regulation, increased costs, operational risks and information security risks. Data retention is about keeping data and information that is needed, only for as long as it is needed, an no longer. Most modern laws and regulations require and organisation to implement Data Retention.

    What is a Data Retention Policy?

    The data retention policy is a clear statement of what you do for data retention. It is not a statement of how you do it. How you do it is covered in your data retention processes. It determines the purpose of data, what laws and regulations apply, how long it should be kept and how it should be deleted or archived. It is designed to communicate to people what is expected and it is a governance mechanism that allows enforcement for when rules are broken.

    What does a Data Retention Policy include / contain?

    The data retention policy includes and contains:
    A classification of information
    Specifications on how long you keep each element of data
    Data retention periods approved by the legal department or legal counsel
    Expiration or retention period and how data is destroyed or archived
    Who has authority to dispose of data
    Roles and responsibilities
    What happens if there is a breach of policy
    How you manage acceptors to the policy
    Versions control, document mark such as last reviewed data, document owner, document version

    What is a data retention period?

    A data retention period is the length of time that the organisation keeps information. This includes whether or not it is storing, processing or transmitting it. How long do you keep it for. Best practice and driven by law and regulation is to keep data only for as long as is necessary. The definition of how long is necessary is decided by the business but ‘for ever’ is not an acceptable answer. It is best defined in collaboration with the legal department or legal counsel.

    How long should data be kept?

    Data should be kept as long is necessary. The definition of as long as is necessary is defined by the organisation.

    Who decides how long data should be kept?

    The organisation has overall sign off which means in practice the data owner decides how long the data should be kept and this is reviewed and agreed with the data protection officer, the information security officer, legal counsel and senior management.

    How do you decide how long data should be kept?

    The data owner decides how long data should be kept based on the requirements of the business, the requirements of its purpose, legal and regulatory requirements and best practice.

    Are backups included in the data retention policy?

    Yes, backups are included in the data retention policy. You need to consider the retention and destruction of backups in line with data retention requirements.

    What is the Data Retention Law?

    Data Retention Laws are specific to the location of the organisation. Countries, states, regions all potentially have different data retention laws. You can consider the European Law on the GDPR as a good example. You should always work with your legal counsel to identify which specific data retention laws apply to you.

    Is ISO 27001 Data Retention the same as GDPR data retention?

    No. ISO 27001 covers a specific scope which will be a subset of your organisations data and processes to be used for ISO 27001 certification. The wider business needs to also be considered and covered by Data Retention.

    If I have a GDPR data retention policy do I need and ISO 27001 data retention policy?

    The Data Retention Policy provided by your data protection specialist will be the data retention policy that use as it will, if it follows best practice, include the data in scope for ISO 27001 as well as the wider data retention requirements of the organisation.

    What is best practice for Data Retention?

    1. Data Retention MUST meets the requirements of applicable laws and regulations
    2. Determine your actual business needs
    3. Don’t hold onto data longer than is necessary
    4. Get sign off by the data owner, legal counsel and senior management for the set retention periods
    5. Ensure you have a data asset register
    6. Ensure you have mapped your processes and data flows
    7. Consider implementing a record of processing activity
    8. Keep it as simple as possible


    DP 02 Data Retention Policy Sample Redacted

    DP 02 Data Retention Policy Sample Redacted

    You may also like…

    Secure Payments

    Powered by Stripe - black
    Apple Pay at High Table
    Visa at High Table
    Mastercard at High Table
    American Express at High Table

    As Seen On

    As see on at High Table
    Shopping Basket
    ISO27001 Data Retention Policy-Green Data Retention Policy Template