Data Retention Policy Template

The Ultimate ISO27001:2022 Data Retention Policy Template

✓ ISO27001:2022 Update

✓ Prewritten and Ready to Go

✓ Retention Schedule

✓ Retention Schedule Examples

✓ GDPR and Data Protection Compliant

✓ Easy to implement

✓ Easy to configure

✓ Step-by-step guide and video walkthrough

To see what you are getting view the Data Retention Policy Template Sample

Original price was: £14.97.Current price is: £9.97.


Data protection is a critical part of any business. It’s the only way to ensure that your customers and employees feel safe and secure when they use your services or products. But it can be difficult to know where to start with data retention policies, especially if you don’t have much experience in this area. That’s why we created our new data retention policy template.

The Data Retention Policy Template is designed to help you comply with your local data protection requirements. It comes with a data asset register pre-populated with the most common data types and records that will save you significant time and provide significant guidance. The policy can be easily adapted to meet any specific needs or requirements of your organisation.

Data Retention Policy Template Contents

  • Document Version Control
  • Document Contents
  • Purpose
  • Scope
  • Data Retention Policy
  • Principle
  • Agreement of Retention Periods
  • Record of Retention Periods

  • Expiry of Retention Period
  • Suspension of Record Disposal in the event of litigation or claims
  • Data Retention Schedule
  • Card Holder Data Retention
  • Human Resources
  • Finance
  • Health and Safety
  • Communication Tools for General Communications

  • Information Security and Data Protection
  • Customer Data
  • Policy Compliance
  • Compliance Measurement
  • Exceptions
  • Non-Compliance
  • Continual Improvement

Data Retention Policy Template Sample

ISO27001 Data Retention Policy Example 1

ISO27001 Data Retention Policy Example 2

ISO27001 Data Retention Policy Example 3

ISO27001 Data Retention Policy Example 5

ISO27001 Data Retention Policy Example 6

ISO27001 Data Retention Policy Example 7

Data Asset Registration with Data Retention Schedule

Blank Version - included

Data Asset Register - ROPA template example 1

Populated with Examples Version - included

ISO27001 Data Asset Register Example 3

How to create and implement a Data Retention Policy

Time needed: 4 hours and 30 minutes.

How do you write a data retention policy?

  1. Use the Data Retention Policy Template

    The data retention policy template is already prewritten with best practice and what good looks like:

  2. Identify your data stores

    Through techniques such as workshops, interviews, brainstorming, reviewing technical architecture documents you compile a list of all of your data stores. This includes manual data stores such as filing cabinets, pedestals, archive rooms as well as technical data stores such as systems, platforms, databased and file managers.

  3. Map your data flows

    Through techniques such as workshops, interviews, brainstorming, reviewing technical architecture documents map the business processes and the flow of data through those processes.

  4. Allocate and information owner to each data type

    Data should be allocated an information owner. This can be a named person or a role but the allocation to teams should be avoided. You want responsibility and accountability. Allocate and record the data owner.

  5. Create a data asset register

    The data asset register contains basic asset information for data and the use of a record of processing activity (ROPA) should be considered.

  6. Information Owner decides the retention period

    The owner of the information sets the data retention periods. Work though each data type and allocate a retention period.

  7. Review and Sign Off the Retention Schedule

    The retention schedule for each data type requires review and sign off. As a minimum the data owner, legal counsel and senior management should review and sign off the data retention schedule.

  8. Communicate the Data Retention Policy and the Retention Schedule

    Once approved the data retention policy and data retention schedule should be shared with everyone in the company so that people are aware of what is expected of them. Communication is the first step to enforcement. We must educate people on what is required and what is expected.

  9. Audit the Data Retention Policy and Practices regularly

    You will audit the policy and processes at regular intervals. How often is based on business need and business risk but it will be done at least once annually. The audit seeks to verify that the processes are working and still valid. If the audit finds that they are not then you should follow your internal continual improvement process.


What version of the standards does this Data Retention Policy Template support?

The Data Retention Policy Template fully supports Data Protection Laws including GDPR, Data Protection Act 2018 and Information Security standards such as ISO/IEC 27001:2022 and ISO/IEC 27001:2013, PCI DSS and SOC 2.

What format is the Data Retention Policy Template in?

The Data Retention Policy Template is in Microsoft Word format.

How quickly will I get the Data Retention Policy Template? What is the turnaround?

You get the Data Retention Policy Template immediately on successful payment.

Will the Data Retention Policy Template work in America / Australia / Europe / UK .... other?

Yes. The Data Retention Policy Template supports best practice for Data Protection and the International Standard for Information Security. It is being used successfully right now across the globe.

How long will it take me to implement the Data Retention Policy Template?

We estimate that on average about 1 hour.

Is High Table ISO27001 certified?

Yes. We are UKAS ISO27001 certified. Our certificate is on the website. We are also Cyber Essentials certified.

How secure are the payments? Do you handle my card details?

Payments are handled entirely through Stripe. They are very secure. We do not handle, touch or get access to the payment transaction or your data.

What is the Data Retention?

Data Retention is keeping records for set periods of time to comply with business needs, industry guidelines, and regulations. There are any number of reasons why a business might need to retain data. Examples of data retention include: to maintain accurate financial records, to abide by local, state and federal laws, to comply with industry regulations, to ensure that information is easily accessible for eDiscovery and litigation purposes. Without a data retention policy and organisations risks breaking the law, not meeting regulation, increased costs, operational risks and information security risks. Data retention is about keeping data and information that is needed, only for as long as it is needed, an no longer. Most modern laws and regulations require and organisation to implement Data Retention.

What is a Data Retention Policy?

The data retention policy is a clear statement of what you do for data retention. It is not a statement of how you do it. How you do it is covered in your data retention processes. It determines the purpose of data, what laws and regulations apply, how long it should be kept and how it should be deleted or archived. It is designed to communicate to people what is expected and it is a governance mechanism that allows enforcement for when rules are broken.

What does a Data Retention Policy include / contain?

The data retention policy includes and contains:
A classification of information
Specifications on how long you keep each element of data
Data retention periods approved by the legal department or legal counsel
Expiration or retention period and how data is destroyed or archived
Who has authority to dispose of data
Roles and responsibilities
What happens if there is a breach of policy
How you manage acceptors to the policy
Versions control, document mark such as last reviewed data, document owner, document version

What is a data retention period?

A data retention period is the length of time that the organisation keeps information. This includes whether or not it is storing, processing or transmitting it. How long do you keep it for. Best practice and driven by law and regulation is to keep data only for as long as is necessary. The definition of how long is necessary is decided by the business but 'for ever' is not an acceptable answer. It is best defined in collaboration with the legal department or legal counsel.

How long should data be kept?

Data should be kept as long is necessary. The definition of as long as is necessary is defined by the organisation.

Who decides how long data should be kept?

The organisation has overall sign off which means in practice the data owner decides how long the data should be kept and this is reviewed and agreed with the data protection officer, the information security officer, legal counsel and senior management.

How do you decide how long data should be kept?

The data owner decides how long data should be kept based on the requirements of the business, the requirements of its purpose, legal and regulatory requirements and best practice.

Are backups included in the data retention policy?

Yes, backups are included in the data retention policy. You need to consider the retention and destruction of backups in line with data retention requirements.

What is the Data Retention Law?

Data Retention Laws are specific to the location of the organisation. Countries, states, regions all potentially have different data retention laws. You can consider the European Law on the GDPR as a good example. You should always work with your legal counsel to identify which specific data retention laws apply to you.

Is ISO27001 Data Retention the same as GDPR data retention?

No. ISO27001 covers a specific scope which will be a subset of your organisations data and processes to be used for ISO27001 certification. The wider business needs to also be considered and covered by Data Retention.

If I have a GDPR data retention policy do I need and ISO27001 data retention policy?

The Data Retention Policy provided by your data protection specialist will be the data retention policy that use as it will, if it follows best practice, include the data in scope for ISO27001 as well as the wider data retention requirements of the organisation.

What is best practice for Data Retention?

1. Data Retention MUST meets the requirements of applicable laws and regulations
2. Determine your actual business needs
3. Don't hold onto data longer than is necessary
4. Get sign off by the data owner, legal counsel and senior management for the set retention periods
5. Ensure you have a data asset register
6. Ensure you have mapped your processes and data flows
7. Consider implementing a record of processing activity
8. Keep it as simple as possible

What Our Customers Say...

Data Retention Policy Testimonial 1

Data Retention Policy Testimonial 2

Data Retention Policy Testimonial 3

At High Table, we do the hard work so you don’t have to.