What is a data retention policy?

Regardless of industry, companies manage a large amount of data, and the process of storing and filing all that data away can be a challenge.  After a while, your company will amass more data than you may know how to handle. As a result, you may need to back up, archive, or delete data. 

A data retention policy makes the job simpler. Whether you're in engineering, sales, life sciences, or government, a data retention policy can help you keep accurate business and financial records, abide by laws and regulations, and ensure customers can easily navigate searches and information. Overall, your data retention policy will help you understand what to do with your data in particular situations.

A data retention policy defines: 

  • A company's purposes for retaining information 
  • Which data you keep and which you should delete 
  • What format you use to store data 
  • How long to keep data
  • Who has the authority to handle and manage data 
  • Laws, regulations, and reference documents
  • How to address policy violations

Below, we'll discuss various data retention requirements and best practices, including why a backup retention policy is essential, how policies ensure legal compliance, and examples of major companies' data retention policies. Then, we'll discuss how to create a data retention policy and how Box can help safeguard your data so you can stay compliant.

What are data retention best practices? 

The goal of data retention policies is to safeguard your company's assets while streamlining operations. Therefore, it's crucial to research how to build a robust and comprehensive data retention policy. Rather than asking yourself why you should delete data, start by asking, "Why should I keep this?" If content has outlived its usefulness to your business, you should delete it.

When creating a data retention policy, you should first analyze and classify the data you manage. Also, conduct research to determine whether any legal requirements apply to your industry. Finally, set the data retention period and delete data once it's no longer useful. You can save time and money by automating content management with cloud-based software.

Identify any data that may be high-risk, like personal information about customers or previous employees

Evaluate your organization's data

First, take time to look over your data to identify and classify it correctly. Different types of data and industries have various data retention requirements. Therefore, it's important you understand which types of data you regularly handle. For example, a hospital would keep patient records longer than internal correspondences, like emails.

Identify any data that may be high-risk, like personal information about customers or previous employees. Keeping that information will most likely do your company more harm than good, as the risk remains the same while the data's value decreases. Offloading old data that doesn't serve a purpose but could pose security threats is always a smart decision.

Additionally, consider whether you're using data for business purposes or hanging onto it for future use. For example, some companies retain data to train future machine learning models. Any data you aren't currently using for business purposes is susceptible to breaches and slows workflows by making it more difficult to find and analyze important data.

Know which legal requirements apply to you 

After categorizing the types of data your organization regulates, you'll want to research which legal requirements apply to you. There's no umbrella data retention law across industries. Instead, different industries follow various data retention policies.

For example, federal government agencies follow National Archives and Records Administration (NARA) guidance. Healthcare organizations must follow the Health Insurance Portability and Accountability Act (HIPAA). The Payment Card Industry Security Standards Council (PCI SSC) issued its Data Security Standard (DSS) for companies that manage card transactions. Each standard provides detailed steps on how and when businesses must alert customers about using their data.

Additionally, different countries have different data protection policies. For example, the European Union (EU) passed the General Data Protection Regulation (GDPR), one of the world's strictest data privacy protection laws. The GDPR applies to countries worldwide when they're doing business with EU citizens. Under the GDPR, data processing must be lawful, fair, and transparent, and companies should only collect the minimum amount of data necessary.

It's critical to know which standards apply to you so you can follow them correctly. Otherwise, you may incur legal repercussions.

Ensure you're not hanging on to data for longer than you need by implementing a system that offer automatic data deletion and restricts permanent deletion to authorized individuals

Delete data once it's no longer required or after the data retention period is over

A data retention period defines how long you should keep particular data. It's best to delete data as soon as possible. Outdated information is more susceptible to breaches, leading to costly lawsuits and a poor reputation. 

Ensure you're not hanging on to data for longer than you need by implementing a system that offers automatic data deletion and restricts permanent deletion to authorized individuals. An eDiscovery solution lets you search and analyze data for easy removal.

An automated data management archival system can help you stay compliant with different industry laws and regulations

What is a backup retention policy? 

These policies specify backup procedures, which protect crucial information from loss. While storing too much data can be confusing and frustrating, storing too little could be catastrophic in the event of data loss. For instance, imagine the consequences when a construction company loses the blueprints to a large commercial project. The client may choose to work with another company in the future, and improper content management will reflect poorly on the company's reputation. 

If data is a fundamental part of your company's daily operations and you can't easily replace it, you'll want to retain it. When deciding how frequently you should back up data, consider the following points: 

  • The severity of data-loss risk 
  • Whether your company requires backup daily, weekly, or monthly
  • How long to keep different kinds of data 

Additionally, you can archive data your company no longer uses but may need to keep for compliance reasons. As an example, HIPAA requires healthcare companies to retain data for a certain amount of time. An automated data management and archival system can help you stay compliant with different industry laws and regulations. As a bonus, archiving data is less expensive than typical data storage.

Three additional data retention requirements - Sarbanes-Oxley Act, Federal Information Security Management and Modernization Acts, Fair Labor Standards Act

How do data retention policies ensure legal and regulatory compliance? 

Following data retention policies improves content management, making companies more efficient by freeing up staff from administrative tasks. However, it's crucial to create a strong data retention policy to comply with laws and industry regulations. Violations often come with fines and harm a company's image. Aside from well-known data retention regulations like HIPAA and the GDPR, you'll want to know about three additional data retention requirements:

Sarbanes-Oxley Act

Investors are afforded more protection from fraudulent corporate financing under the Sarbanes-Oxley (SOX) Act. While the SOX Act is a complicated piece of legislation, Section 802 gives some insight into data retention requirements in the financial industry. The section specifies guidelines for content management, including penalties for record destruction or falsification, record retention periods, and which physical and electronic business records to store. 

IT departments at financial companies should follow the SOX Act to determine which electronic records to archive and how long to retain them.

Federal Information Security Management and Modernization Acts

The government requires all federal agencies to develop a content security program under the Federal Information Security Management Act of 2002 (FISMA 2002). Under FISMA 2002, companies must protect information by following federal information processing and data retention requirements. The Federal Information Security Modernization Act of 2014 (FISMA 2014) updates FISMA 2002 to cover cybersecurity.

Implementing data retention policies can help agencies ensure they remain FISMA compliant by offering guidance on data backup and deletion. A plan will also outline which personnel are qualified to access data to safeguard against breaches.

Fair Labor Standards Act 

All companies must follow the U.S. Department of Labor's Fair Labor Standards Act (FLSA). Under the FLSA, employees must keep records for at least three years. Additionally, they must keep records regarding wage computations such as time cards or schedules for two years.

Under the FLSA, employers must retain the following basic employee and pay information:

  • Employee name and Social Security number 
  • Address 
  • Date of birth for employees younger than 19
  • Sex
  • Workweek start
  • Daily and weekly hours worked 
  • Pay specifications, such as hourly or weekly rate 
  • Regular hourly pay rate 
  • Daily or weekly straight-time earnings
  • Weekly overtime earnings 
  • Wage additions or deductions 
  • Total wages for each pay period 
  • Payment date and pay period

What are some data retention policy examples? 

Companies collect and retain information from users for security reasons and to personalize the customer experience. However, some users want companies to stop storing their data, as they still keep information for a specified data retention period even after users delete information on their end. Several major companies like Google, Facebook, Microsoft, Netflix, and Amazon typically outline how they retain data in their privacy policies so users can review their rights.


Google's data retention policy allows users to delete some data, automates the deletion of certain data, and retains other data for extended periods. For instance, Google retains personal details, action history, and content until users log on and delete this type of data. Sensitive information like payment processing or security data is kept for extended periods so that Google remains compliant with legal regulations. Other data, like screen size for device compatibility, is automatically deleted after a certain period. 

When users opt to delete data, Google first ensures the users will no longer see that particular data on their end. Then, they initiate an approximately two-month-long process to securely remove the information from their storage systems. Because each kind of storage system has a particular deletion process, it may take longer for Google to delete some data. In case of accidental deletion, Google also uses encrypted backup storage, where data can remain for six months.  

Facebook's parent company, Meta, uses the data it collects to personalize the user experience, verify accounts, and for research and analytics


Facebook collects information about users, how they use the platform, and what they say about each other. The platform's parent company, Meta, uses the data it collects to personalize the user experience, verify accounts, and conduct research and analytics. Facebook retains information until a user deletes their account or it is no longer necessary for the user. However, Meta does keep different types of data for various lengths.

For example, the company will keep sensitive information, like a picture of a user's government-issued ID for account verification, for 30 days, while search query logs are kept for six months — even if a user deletes the search from their end.


Microsoft's Data Handling Standard policy provides guidance on how long Microsoft 365 retains user data. The company collects user data through both automated and manual processes. Microsoft's data collection provides certain features, personalizes the user experience, and helps Microsoft stay legally compliant. Both users and administrators can actively delete data, while passive deletion happens when a user's subscription ends.

The company classifies different data types, and data categories have varying retention periods. For example, users directly provide data to Microsoft, including personal information, passwords, and multimedia files. Microsoft stores data for a maximum of 30 days with active deletion or 180 days with passive. Other customer data that identifies users, such as IP addresses and domain names, are kept for 180 days with both passive and active deletion.


Like many other companies, Netflix collects personal information about users to personalize the user experience. For example, geographic information allows the company to provide localized content, while tracking watch history can improve recommendations. Although Netflix removes user information upon account deletion, the company retains other information for legal purposes, fraud prevention, and accounting reasons.

The information Netflix retains after a user deletes their account includes: 

  • Device identifiers
  • Email address on file with the account 
  • Encrypted payment details

Amazon tracks customers' personal information to provide order management and delivery services


Amazon tracks customers' personal information to provide order management and delivery services, for personalized product and feature recommendations, for use with their Alexa products, and to stay legally compliant. The company follows the PCI DSS standard when processing credit card data to ensure security and compliance.

Beyond the company's basic privacy policy, Amazon has also specified a file retention policy for Amazon Drive, which stores files associated with accounts that currently have active subscriptions. Once users have more files than the basic drive permits, they have 180 days to either upgrade their storage plan or delete files. Otherwise, Amazon begins deleting files, starting with the most recent uploads. 

When a customer abandons their account, Amazon notifies them after 18 months of inactivity. After two years, Amazon deletes all files.

Create a data retention policy - gather stakeholders, audit your data, review storage options, implement your policy

How do I create a data retention policy? 

Now that you understand how a data retention policy will minimize risk and ensure regulatory compliance, it's time to create and implement your policy. When crafting a comprehensive data retention policy, you should first gather all relevant stakeholders, conduct a data audit, and review data management and storage options before implementing the requirements.

1. Gather stakeholders 

When creating a data retention policy, you should gather all relevant stakeholders to ensure your data retention policy covers all departments. These individuals could include executives, human resources managers, legal professionals, finance department workers, and records managers. This way, your data retention policy will represent your entire company. Plus, everyone across your departments will be on the same page to ensure compliance and maximum data security.

2. Audit your data

Conduct a thorough data audit by determining where your data is, how various people access it, who's authorized to access it, and how your company uses it. An audit will help you evaluate content to determine what you should do with various data types. Basically, you're prioritizing data and measuring the benefits of keeping it against the risks.

Categorizing data will help you quickly determine which data you regularly use and must keep live, data you should back up but still keep easily accessible, data you should delete, and data to archive. Also, take note of data you could delete but may want to hang onto and content that's especially important to back up for disaster recovery.  

3. Review storage options

Alongside auditing your data, you should review whether you need to expand your storage capacity or cut the clutter to free up storage space. If your industry is highly regulated, you should double-check to make sure you don't have to store your data off-site. Assessing your data and current storage infrastructure will help you determine potential data storage options.

Using a cloud-based content management solution like Box will help your teams become more efficient. With Box, you'll be able to protect and monitor your content through document retention policy management. Plus, the Content Cloud will ensure employees can easily access files to streamline collaboration

4. Implement your policy 

Above all, thoroughly and clearly document data when implementing a data retention policy. Be transparent with your staff and ensure they understand your company's data retention requirements. Additionally, consider creating two different policy documents. One document can include technical jargon and legal information for legal or industry regulations. The other policy should include simple, straightforward language your employees can follow.

Furthermore, ensure you're transparent with your customers. Clearly explain what information you'd like to keep and how you're going to store it. Communicating your privacy policy with your customers will build their trust in your company, strengthening your relationship.

Once you've implemented your data retention policy, you'll want to conduct an internal review to ensure employees remain compliant. Additionally, set a regular review schedule to revise your policy as your company grows and changes. Conduct follow-up meetings with employees to ensure they understand your company's data retention policy and gather their feedback. 

Box Allows you to create legal holds so users can quickly and easily find litigation-related content

What is Box's approach to data retention? 

Box is a comprehensive, cloud-based content management solution to automate workflows and keep your data secure. Information governance from Box manages content lifecycles to reduce risk proactively. Box also includes event-based retention, in which particular occasions like employee termination or business events trigger retention policies.

Plus, you'll be able to customize your retention policy for maximum compliance — regardless of your particular industry needs. Box allows you to create legal holds, so users can quickly and easily find litigation-related content. Plus, Box Governance works with your current eDiscovery tools for data processing.

When it's time to delete data, you'll be able to remove content without compromising data backup and retention. The Box deletion system allows automatic content purging while restricting permanent removal to authorized users. If data is accidentally deleted, you'll also be able to restore that information. 

Learn how Box can improve content management for your company

Learn how Box helps with content management

Box is a secure, cloud-based content management system that helps you create and implement a comprehensive data retention policy. Our platform enables your company to streamline the entire content lifecycle — from file creation to editing, sharing, classification, and retention. Box will protect your content from breaches, empower your teams through collaboration, and connect your business with more than 1,500 integrations. 

Contact the Box sales team today to learn how Box can improve content management for your company.

**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.