(The second in three part series on Developing an Effective Data Retention Policy.

In our previous article, Developing an Effective Data Retention Policy, we outlined the history of and comparison of tape backup environments to disc backup environments. Understanding how your data is retained is the first and critical step to designing a data retention policy, but the next steps are a bit more murky and complex.data-retention-policy2

Depending on the industry in which you do business, your data retention policy may be dictated by legal or business retention requirements. For example, legal retention requirements would include:

  • Each state has unique legal requirements on how long medical records must be maintained
  • Every business’ tax records are to be kept for at least 3 years – but there many exceptions to this rule – and 7 years is typically seen as prudent:
    • You must keep all employment tax records for at least 4 years after the date that the tax becomes due or is paid, whichever is later.
    • In Texas, Sales and Use Tax records must be retained for at least four years.
  • Businesses subject to OSHA regulations have specific requirements on how long their data must be retained
  • Food manufacturers are required to track all the ingredients and their location of origin in the unfortunate event of poisoning
  • Machine shops are required to maintain records on where the material origin in the event of product failure

The Massachusetts Society of Certified Public Accountants has published a great resource on this subject here.

Aside from what you are legally required to do, there are compelling business arguments for retaining your data for considerable time. Ask yourself how long you need to maintain customer or accounting records. Go through the many scenarios that could impact your business, for example, do you offer any type of warranty or credits? Is there any opportunity for a recall of your manufactured items? What is the general practice within your industry for maintaining business records? What if you were to sell the business, how long of a history would a potential acquirer want?

Start your data retention policy by inviting key employees to a brainstorming session and ask, what if we need to go back in time to retrieve for data for:

  • A tax records audit
  • A labor law compliance audit
  • A product liability lawsuit
  • An employment practices claim
  • An employee tort such as a sexual harassment claim

Start to build your policy around these scenarios. Double check it against both the legal data retention requirements and your own business retention needs.

Related Data Retention posts: