Data Retention Policy Template
The Ultimate ISO27001:2022 Data Retention Policy Template
✓ ISO27001:2022 Update
✓ Prewritten and Ready to Go
✓ Retention Schedule
✓ Retention Schedule Examples
✓ GDPR and Data Protection Compliant
✓ Easy to implement
✓ Easy to configure
✓ Step-by-step guide and video walkthrough
To see what you are getting view the Data Retention Policy Template Sample
Data Retention Policy Sample
Data Asset Registration with Data Retention Schedule
Blank Version - included
Populated with Examples Version - included
Data protection is a critical part of any business. It’s the only way to ensure that your customers and employees feel safe and secure when they use your services or products. But it can be difficult to know where to start with data retention policies, especially if you don’t have much experience in this area. That’s why we created our new data retention policy template.
The Data Retention Policy Template is designed to help you comply with your local data protection requirements. It comes with a data asset register pre-populated with the most common data types and records that will save you significant time and provide significant guidance. The policy can be easily adapted to meet any specific needs or requirements of your organisation.
Data Retention Policy Contents
- Document Version Control
- Document Contents
- Data Retention Policy
- Agreement of Retention Periods
- Record of Retention Periods
- Expiry of Retention Period
- Suspension of Record Disposal in the event of litigation or claims
- Data Retention Schedule
- Card Holder Data Retention
- Human Resources
- Health and Safety
- Communication Tools for General Communications
- Information Security and Data Protection
- Customer Data
- Policy Compliance
- Compliance Measurement
- Continual Improvement
The Data Retention Policy Template fully supports Data Protection Laws including GDPR, Data Protection Act 2018 and Information Security standards such as ISO/IEC 27001:2022 and ISO/IEC 27001:2013, PCI DSS and SOC 2.
The Data Retention Policy Template is in Microsoft Word format.
You get the Data Retention Policy Template immediately on successful payment.
Yes. The Data Retention Policy Template supports best practice for Data Protection and the International Standard for Information Security. It is being used successfully right now across the globe.
We estimate that on average about 1 hour.
Yes. We are UKAS ISO27001 certified. Our certificate is on the website. We are also Cyber Essentials certified.
Payments are handled entirely through Stripe. They are very secure. We do not handle, touch or get access to the payment transaction or your data.
Data Retention is keeping records for set periods of time to comply with business needs, industry guidelines, and regulations. There are any number of reasons why a business might need to retain data. Examples of data retention include: to maintain accurate financial records, to abide by local, state and federal laws, to comply with industry regulations, to ensure that information is easily accessible for eDiscovery and litigation purposes. Without a data retention policy and organisations risks breaking the law, not meeting regulation, increased costs, operational risks and information security risks. Data retention is about keeping data and information that is needed, only for as long as it is needed, an no longer. Most modern laws and regulations require and organisation to implement Data Retention.
The data retention policy is a clear statement of what you do for data retention. It is not a statement of how you do it. How you do it is covered in your data retention processes. It determines the purpose of data, what laws and regulations apply, how long it should be kept and how it should be deleted or archived. It is designed to communicate to people what is expected and it is a governance mechanism that allows enforcement for when rules are broken.
The data retention policy includes and contains:
A classification of information
Specifications on how long you keep each element of data
Data retention periods approved by the legal department or legal counsel
Expiration or retention period and how data is destroyed or archived
Who has authority to dispose of data
Roles and responsibilities
What happens if there is a breach of policy
How you manage acceptors to the policy
Versions control, document mark such as last reviewed data, document owner, document version
A data retention period is the length of time that the organisation keeps information. This includes whether or not it is storing, processing or transmitting it. How long do you keep it for. Best practice and driven by law and regulation is to keep data only for as long as is necessary. The definition of how long is necessary is decided by the business but 'for ever' is not an acceptable answer. It is best defined in collaboration with the legal department or legal counsel.
Data should be kept as long is necessary. The definition of as long as is necessary is defined by the organisation.
The organisation has overall sign off which means in practice the data owner decides how long the data should be kept and this is reviewed and agreed with the data protection officer, the information security officer, legal counsel and senior management.
The data owner decides how long data should be kept based on the requirements of the business, the requirements of its purpose, legal and regulatory requirements and best practice.
Yes, backups are included in the data retention policy. You need to consider the retention and destruction of backups in line with data retention requirements.
Data Retention Laws are specific to the location of the organisation. Countries, states, regions all potentially have different data retention laws. You can consider the European Law on the GDPR as a good example. You should always work with your legal counsel to identify which specific data retention laws apply to you.
No. ISO27001 covers a specific scope which will be a subset of your organisations data and processes to be used for ISO27001 certification. The wider business needs to also be considered and covered by Data Retention.
The Data Retention Policy provided by your data protection specialist will be the data retention policy that use as it will, if it follows best practice, include the data in scope for ISO27001 as well as the wider data retention requirements of the organisation.
1. Data Retention MUST meets the requirements of applicable laws and regulations
2. Determine your actual business needs
3. Don't hold onto data longer than is necessary
4. Get sign off by the data owner, legal counsel and senior management for the set retention periods
5. Ensure you have a data asset register
6. Ensure you have mapped your processes and data flows
7. Consider implementing a record of processing activity
8. Keep it as simple as possible
How to create and implement a Data Retention Policy
Time needed: 4 hours and 30 minutes.
How do you write a data retention policy?
- Use the Data Retention Policy Template
The data retention policy template is already prewritten with best practice and what good looks like: https://hightable.io/product/data-retention-policy-template/
- Identify your data stores
Through techniques such as workshops, interviews, brainstorming, reviewing technical architecture documents you compile a list of all of your data stores. This includes manual data stores such as filing cabinets, pedestals, archive rooms as well as technical data stores such as systems, platforms, databased and file managers.
- Map your data flows
Through techniques such as workshops, interviews, brainstorming, reviewing technical architecture documents map the business processes and the flow of data through those processes.
- Allocate and information owner to each data type
Data should be allocated an information owner. This can be a named person or a role but the allocation to teams should be avoided. You want responsibility and accountability. Allocate and record the data owner.
- Create a data asset register
The data asset register contains basic asset information for data and the use of a record of processing activity (ROPA) should be considered.
- Information Owner decides the retention period
The owner of the information sets the data retention periods. Work though each data type and allocate a retention period.
- Review and Sign Off the Retention Schedule
The retention schedule for each data type requires review and sign off. As a minimum the data owner, legal counsel and senior management should review and sign off the data retention schedule.
- Communicate the Data Retention Policy and the Retention Schedule
Once approved the data retention policy and data retention schedule should be shared with everyone in the company so that people are aware of what is expected of them. Communication is the first step to enforcement. We must educate people on what is required and what is expected.
- Audit the Data Retention Policy and Practices regularly
You will audit the policy and processes at regular intervals. How often is based on business need and business risk but it will be done at least once annually. The audit seeks to verify that the processes are working and still valid. If the audit finds that they are not then you should follow your internal continual improvement process.