Skip to Main Content
March 23, 2023

Data Retention Practices – A Brief Overview

Written by Ryan Boyle
Privacy & GDPR Compliance Assessment

Data retention practices can vary between companies based on compliance requirements, location, and types of data. Best practice dictates an organization should only retain data for only as long as it is useful, or to satisfy legal or regulatory requirements. Defining what is needed for an organization will ensure compliance with relevant legal statues and regulations, help maintain accurate records, and ensure no unnecessary storage space is being allotted. 

Data retention policies should include:

  • What data needs to be retained
  • The format the data is kept in
  • Length of retention
  • Whether the data is subject to deletion or being archived
  • Who will dispose of it and how
  • Exceptions processes
  • What to do in breach of policy

Legal and Compliance

There are no mandatory data retention laws that span across the Unites States. One (1) of the chief reasons for this, is the value of privacy. Restrictions ultimately depend on the type of data that is being handled and the areas of operation. Common types of restricted data include:

  • Personal Data/Personally Identifiable Information (PII)
  • Protected Health Information (PHI) 
  • Financial data

Legal and regulatory requirements for these types of data will differ depending on where, how, and in what volume business is being conducted. For example, the State of California usually comes with more stringent laws concerning privacy requirements that are outlined in the California Consumer Privacy Act (CCPA). Some common compliance standards to refer to are the General Data Protection Regulation (GDPR - EU), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS). These are just few examples of the common laws, standards, and regulations that organizations can be held to when dealing with the common types of restricted data. Non-compliance within any of these areas could mean monthly penalties, data breaches, legal action, damage to reputation, and more.

Another factor to consider when determining data management is whether the company is publicly traded or not. The Sarbanes-Oxley (SOX) Act applies to a large range of companies operating in the U.S. Companies required to be compliant with SOX are:

  • Public U.S. companies
  • Foreign public companies operating in the U.S.
  • Wholly-owned U.S. subsidiaries
  • Private companies preparing an initial public offering
  • Accounting firms working for SOX-compliant companies

SOX compliance rules have specifically outlined how long your data retention periods must be. In 2002, SOX was modified in response to widespread corporate fraud to include a seven (7) year data retention requirement.

Data retention periods will also vary depending on the type of industry you are in. Companies operating in the health industry are typically required to retain HIPPAA related documents for a minimum of six (6) years from when the document was created. This does not fully encompass medical records that vary under state law. Financial institutions falling under Basel II Capital Accord retention requirements outline a three (3) to seven (7) year data history retention requirement. These are just a few examples of data retention requirements a company can find themselves in that will need to be met in tandem with state and other regulatory requirements. 

Data Management

In addition to the compliance requirements for different types of data, organizations will also have to be compliant in their storage practices. For instance, the U.S. Department of Health and Human Services (HHS) has outlined four (4) specific HIPPAA storage requirements:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information
  3. Protect against reasonably anticipated, impermissible uses or disclosures
  4. Ensure compliance by their workforce

These requirements are often vaguely defined. In the event of a breach, being found in non-compliance can be a heavy cost to a company’s reputation and profitability. Whether it is financial or health compliance requirements, it is always good to be secure. Even if you are compliant, you may not be secure. Maintaining good security practices will almost always ensure you are in compliance. It is good practice to have annual audits, whether performed externally or internally, to keep up to date on your compliance needs. A lot of companies will have a designated compliance officer to oversee their company’s regulatory standards and keep an eye on any new developments. Companies should still research data management solutions for what is most practical for them.