The 5 Steps to Creating a Retention Policy

There’s only one thing worse than not having a required document…having one that you aren’t required to have.

RetentionHaving a retention policy is more important than ever.

In the age of cheap storage, there is a tendency to keep far more data than ever before. A study about storage infrastructures found that 40% of the storage space was housing stale/unused data. [1. “Reigning in storage costs”, Data Management Institute, April 2014] It’s a tedious task, but failing to purge unnecessary files can lead to legal battles and put your organization at further risk.

While some industries have mandates about how long you must keep a report, keeping tabs on all the rules it is difficult. How do you stay up to date on the documents you’re required to keep and those which you can throw out?

Take a deep breath.. we can do this together!

Why are Retention Policies Important?

In 2012, the White House issued “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” The report states, “Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.” (

Retaining more data than is required is asking for trouble. Disgruntled employees can get their hands on these old files and initiate internal data breaches. If you choose to keep older files in archives, you need to find a tool that helps de-identify the content. This can be achieved by running pattern matching scans against documents that are queued for archiving – stripping out sensitive or identifying information.

Creating and sticking to a documented retention policy is the first step before considering your de-identification strategy. You’ll be hard-pressed to find anyone opposed to using data retention policies. The difficult sell is getting the policies implemented.

After retention policies are agreed upon, there must be follow-up to ensure they are being executed. After a period of “Keep it all!”, nobody wants to push the button to start deleting data.

BPHow to Create a Retention Policy

Assuming you want to move forward, here are the steps to getting your first retention policies in place.

1. Choose your initial data set

As wonderful as it would be to create your entire retention structure, start small. Begin by finding a set of reports or documents that have a short shelf life. Documents that are relevant for a smaller amount of time are easier to create retention policies because people are less attached to their content.


  • Daily Financial Report
  • Hourly Timesheet Reports

These two example reports are only helpful for a short time. They can be recalled at any time from the reporting source so archiving these summary reports is low-hanging fruit for a retention policy.

2. Get diverse voices in the room

There are likely many people with opinions on what to retain, archive or delete.

Make sure you have stakeholders from many disciplines when designing your retention policies. Stakeholders from the legal department will have a different perspective than those in the business using these reports on a daily basis.

As was stated in the “Consumer Data Privacy in a Networked World” some types of data don’t require disposal but you must de-identify. If your discussion excluded people from legal, you might miss similar regulatory measures.

Who should consulted?

  • Legal council
  • Those receiving financial reports
  • Those generating financial reports
  • Those in charge of retention settings

It’s important to have people on both sides of the content so you can accurately capture:

  • Why is the content important?
  • How long will the content be useful?
  • What are the risks of keeping it?
  • What are the risks of getting rid of it?


Even those who aren’t using the reports or documents need to be involved in creating the retention policy.

3. How long is the data useful?

It is critical to get all the stakeholders in the decision-making process. What some may consider Mission Critical, others will see as superfluous.


  • Those receiving the financial reports may want to keep them all. From their perspective, they need constant access to the reports and don’t want to give them up.
  • Those generating the report might say historical data is easily retrieved and distributed from the raw data if needed at a later date.
  • Legal Council might say daily financial reports are a requirement for auditing purposes. Having the data exactly as it was at the time it was produced is required for auditing changes to the original data. But, the reports should only be accessible by a select few after a certain amount of time passes.

4. What happens to the old data?

Depending on the data you’re discussing, it might make sense to archive data no longer necessary on a regular basis. Next you need to decide who should have access to the archived data and how long they should have that access. If you don’t limit who has access to archives, you aren’t helping yourself on the security side.

You might decide to create a tiered retention policy. Content starts in the active state, it is then archived for a specified period, and then deleted at the next stage of the policy. This is typically a scheduled process that runs without manual intervention. Any manual intervention in a retention policy lends itself to breaking the policy.

You may want to delete data that isn’t required for any obvious purpose. Any data falling into this category needs the approval to create an auto-delete function. People like to know before their records are removed permanently 🙂


  • Keep daily financial reports accessible for the current quarter.
  • Files from previous quarters are archived
  • 4 previous quarters of financial reports are kept in archive. Older files are deleted.

5. Who should be able to access archived data?

There may be circumstances where all users should have access to an archived piece of content. More often, there will be gatekeepers of archived content.


  • Only those in finance should be able to access the archived daily reports.
  • If older data is requested, finance can retrieve and provide temporary access to the report.

Take action now.

If you’re reading this, you already know why content retention policies are necessary. You’ve been asked to investigate options, or you’re trying to create them on your own.

Follow the steps outlined above and get to work!

This content is an excerpt from our free e-book. To get your free copy, drop your email in the box below.

Receive our free e-book!

* indicates required



Comments are closed.