Data Retention Policy – How To Catch And Release Data

“In catch and release fishing, anglers immediately release native fish – unharmed – back to the waters from which they are caught,” says the National Parks Service. The Parks Service also recommends that anglers “learn the regulations.” Catch and release fishing successfully takes practice, technique, and knowledge. So does successful data governance.


The volume and velocity of data “caught” (collected) by organizations and industries are growing.  At the same time, the threat waters are choppy and data privacy laws have coalesced into a wave of regulations. Privacy laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have introduced the need for organizations to dive deeper to develop more inclusive approaches data governance.  Within data governance programs, organizations define the set of policies and procedures to address data collection, use, retention, disclosure, and disposal of personal information.


In these wild waters, data governance programs need to define, track and inventory data in their own environment – and the data that may be accessed, processed, or stored by a third or fourth party. An organization needs to enforce data retention policies for data held by third parties, including how data is “released,” or handled after contract termination or exit. An important component of a TPRM program is to create, update and maintain accurate vendor and data inventories; Shared Assessments has new and free tools for addressing specific data protection obligations in third party risk.


The Risk of Not Having A Data Retention Policy

It is the tendency and default of companies to keep as much data as possible going back as far as possible.  When data is collected with no clear business purpose, then data not only becomes stale and unused. This lingering data becomes a liability to companies.

If there is a data breach involving data protected by laws, or an e-discovery, stale data or data no longer used by an organization are in scope. This can quickly increase fines and operational costs.  A good policy clearly articulates the type of data that needs to be retained for business or legal purposes, as well as means to appropriately remove data no longer required.

Understanding how vendors use, disclose, and retain personal data from your organization is an important facet of data governance. Gathering an overview of this information can be achieved through the Target Data Tracker, a component of the Data Governance Tools.


Planning A Data Retention Policy

Two good ways to start planning a policy is to understand the type of data that needs to be retained and for how long the data needs to be retained. Length of retention can be defined by the need for the business to provide goods or services and applicable laws and regulations that require data retention for a specified period.

Data types to include in a policy should be based on business needs and obligations,  and account for laws and regulations. Enumerate all types of data that need retention.

It is important to specify application laws and regulations by data type so that retention expiration can guide what is appropriate for deletion.

The more thorough the policy is regarding the type of data necessary for retention, the easier it will be to quickly determine and isolate data being collected that does not require retention.


Who Should Make The Data Retention Policy

Crafting a data retention policy is a team effort. Your business, legal and compliance stakeholders should be involved in the process.  These policies are NOT an IT effort.

The biggest mistake organizations make when building a data retention policy is having a policy that lacks clarity and a team lacking in training and awareness.

Finally, after creating the policy, auditing to enforce the guidelines is a must.


More Tips On Catching and Releasing Data Properly

The free Data Governance Tools can be used to address specific data protection obligations in third party risk. The Target Data Tracker, a component of the Data Governance Tools, covers the collection, description, and identification of third and fourth parties and includes retention, authorized use, and duration of processing.

Additional reading such as The Seven Deadly Sins of Records Retention might light a fire under your data retention efforts.