Data Protection Series: 5 Steps to Defining Your Retention Policies

John Woolley


I have a strong opinion around why organizations continue to store so much unstructured data. Many IT professionals simply do not have the time to wade through best practices for retention policies, nor are they given a solid steer by the business itself — unless there has been significant investment in a compliance team.

Danger arises when a lack of retention policies means a default decision to keep all data forever. In this case, storage and backup solutions become a major financial burden to an organization.

How do you begin to define your retention policies? Follow these six steps:

1: Establish Global Baseline Retention Policies

Begin by establishing a baseline (or minimum) retention. If you are a multi-national, you’ll need to understand potential worldwide applicability for certain types of records. Your policy should provide flexibility for different countries to exercise their discretion to lengthen or extend these baseline retention periods, based on valid legal or business needs.

2: Access Accounting and Tax Records

Governments impose a legal requirement to protect their ability to collect taxes. To do this, they must have access to accounting records to scrutinize during tax audits. Because of this, accounting and tax records are the biggest target for records retention.

Virtually every country has enacted laws that mandate the retention of ledgers, journals and other books of account, as well as additional supporting documentation such as vouchers, balance sheets, records of goods bought and sold and inventories of stock. These retention requirements are found in the commercial codes of country laws and/or in the tax codes.

Typically the retention period is five to 10 years; however, this is not applicable to all systems and data that pertains to accounting records, structured or not.

Finally, bear in mind that I’ve still to date to meet an accounts department who will delete data from a financial system. This is important t to remember when dealing with archives derived from backup.

3: Understand the Impact of General Corporate / Legal Documents

After accounting records, general corporate/legal documents are the most frequent target for retention laws.

Requirements for these documents typically appear in the business corporation laws or commercial codes of the countries in which organizations operate, and they usually apply to all businesses domiciled within the country, including units of foreign-owned, multinational corporations.

Although they vary in coverage and specificity, these laws typically mandate the retention of records such as minute books, articles of incorporation, shareholder registers, financial statements, deeds and other documents serving as evidence of the legal status and ownership of the business.

Some countries have specific laws about record retention, while others have more general laws. The retention periods range from three years to permanent; 10 years is the average.

The intent here is to ensure the preservation of records of closed businesses through the period of receivership and payment of creditors or other legal distribution of assets.

4: Follow Statutes of Limitations

Statutes of limitations – or periods of prescription, as they are called in civil law countries – are a major factor in establishing retention periods for business records. These laws are not requirements to retain records; they simply specify how long parties can sue or be sued concerning a certain matter.

Multinational companies have a major interest in retaining such records, as they may be needed to institute legal proceedings against other parties or to defend themselves against unwarranted claims brought by other parties. These records may define and limit risk and liability in terms of retention. The following matters are most relevant to records retention:

  • General contracts: Retention requirements range from one year from discovery of breach in China to an average of six years from the last date on which action took place in the United Kingdom.
  • Taxation: Retention requirements range from an average of five years in Brazil and Germany to 10 years, in cases where taxpayers fail to file a return or file a false return for purposes of evading taxes in Thailand.
  • Product liability: Retention requirements range from 3 years from the plaintiff ‘s awareness of damage in Finland to 30 years in cases where product defects have been fraudulently concealed by the seller in Germany.
  • Personal injury: Retention requirements range from 3 years from the date on which the cause of action occurred in Ireland to as much as 20 years following the event that caused the damage in the Netherlands. Once the relevant laws have been discovered, multinational records managers should work with their legal counsel to incorporate them into retention policies of global coverage.

5: Incorporate Business Function Scoping

Once the baseline has been established along with consideration for legal protection, you can then delve into the rest of the business units. Further, the legal research should be defined by business functions. These include:

  • Environmental management / Facility and property management
  • Human resources
  • Employee health and safety
  • Insurance/risk management
  • Intellectual property (patents, copyrights, and trademarks)
  • Manufacturing
  • Payroll/compensation, salary and wage administration
  • Property/land management, Purchasing/procurement
  • Quality control/assurance
  • Regulatory affairs
  • Research and development
  • Sales/marketing
  • Security
  • Shareholder relations

Once you have your retentions in place, consider a robust automated retention policy for deletion of data if online or archived, unless you have a vendor managing the lifecycle for you.

Consider the impacts if you had the right retention policies in place, the correct tools to move data, the ability to provide search functions and the best possible cost medium on which to store your data. What would that do to alleviate the continuous issues of storage, backup and disaster recovery?

Retention is just one area of data protection your IT team needs to know about. Learn about other important knowledge areas in my recent blog.


More in Storage & Destruction