Is Your Data Retention Policy Creation Getting Stuck?

Creating a data retention and deletion policy at the outset appears to be a straightforward task. However, the effort often gets bogged down through endless inputs from and lack of consensus with multiple stakeholders. The root cause of getting stuck is that many data retention policies focus too narrowly on personal information disposition requirements that are not in sync with records retention compliance or business needs. Sometime organizations effectively “punt” on the issue by creating vague, non-prescriptive, watered-down, or ill-defined policies that may simply list hazy, non-prescriptive retention rules. Avoid this, as it will do little provide guidance to employees regarding what to save and not save.

There is sometimes a tendency by privacy, legal, or compliance teams to “go it alone” and create a retention policy by themselves with little input or collaboration, and then hand it off to IT or business units to execute. There may be a policy, but it is unlikely it will be or can be followed, and the gap between what the organization says it will do in its policy and its lack of execution creates more risk than not having a retention policy at all.

Organizations are often reluctant to engage in deletion knowing that some of the data contain records that must be retained for a period of time to satisfy regulatory or legal requirements. I refer to these as “Records” – with a capital “R.” Another category is “records” – with a lower-case “r” – information that has business value but for which there is no mandatory retention, and “transitory information,” which is everything else.

It is recommended that governance professionals take the lead in guiding the definition, identification, and classification of “big R,” “little r,” and transitory information, with policies and procedures embodied in a records archiving program.

Take a look at our white paper, Developing a Data Retention Policy to Meet Privacy Requirements.