Data should be deleted when it is no longer needed for authorized purposes. The period of time that information remains necessary for authorized purposes, however, is not standardized across organizations, industries, or operations. Determining the appropriate time period requires an underlying knowledge of the data a company has, how that data is classified (for example, if it includes personal information), how that data is used in the business, and any laws applicable to its retention. The most common means of determining this time period is through the process of developing and documenting data retention policies and schedules.
A data retention policy is a corporate policy that goes beyond statutory legal requirements, and directs operations about which information the company should retain, delete, or retain for a period and then delete. For data that is permitted under policy to be retained for a given period of time and then must be deleted, the retention period is generally documented in a data retention schedule. Both the policy and the schedule should reflect the types of data the company has, the laws applicable to its retention, and the risk position of the company.