A retention policy is a guide to personnel on how to manage the lifecycle of information from collecting to destroying data. Therefore, the policy should cover all data retained in an organization’s custody or control.
Reading time: 1 minute.
Organizations are bound by various obligations with regard to the data they retain or that is in their custody or control. This includes (i) how long they may retain the data and (ii) when and how they can destroy the data. These obligations may arise from local laws, contracts or promises that the organization has made to employees, customers, service providers or partners. To comply with these obligations, a retention policy should be implemented.
For some data and in certain situations, it is required that exceptions are made to the retention periods set out in the retention policy. For these situations, there should be a process in place to review and submit exception requests and hold the data.
Implementation of a retention policy
A necessary element to the retention policy document is that there are responsible persons for implementing the policy. Furthermore, it is important to make sure that employees understand the policy and follow it. Ordinarily, the line managers are responsible for the policy’s implementation together with management. Additionally, the organization’s Data Protection Officer is responsible for auditing the organization’s compliance with said policy.
It is important that the retention policy clearly states what consequences employees may have to deal with as a result of not following the policy. Most often, a clear violation that leads to harm to the organization or to the data it holds leads to disciplinary action against the perpetrator.
In essence, a retention policy document contains the following topics