Skip to Content
Cyber and Privacy Risk and Insurance

Data Retention Policies as Proactive Breach Mitigation

Mark Lanterman | October 6, 2023

On This Page
Top view of abstract file folders

When it comes to holding onto sensitive data, less truly is more. While it may be tempting to retain every piece of information your organization or company has ever accumulated, proper data auditing, relocation, and disposal is essential for limiting the potential losses associated with data breaches.

Data retention policies are often neglected pieces of an organization's overall cyber-security posture. Organizations strive to protect the data they gather but are often reluctant to dispose of that data or store it in less convenient, though safer, ways. It is important to note that one size definitely doesn't fit all—each organization, firm, and company may have different needs when it comes to what their specific data retention policies include. Legal requirements and considerations are the foundation of a sound data retention policy that is compliant, efficient, and easily implementable.

Data Inventory

To start, an organization needs to have a reliable data inventory, identifying what is currently being retained and where. This step of the process can be chaotic and daunting for many. Also, there may be discrepancies between written policies and documentation and what is actually being carried out within the organization. Third-party vendors and their individual data retention policies need to be audited and reviewed for compliance as well; similarly, organizations should take stock of what data about any outside entities they are actively storing.

Data Retention Policies

A thorough accounting is crucial to establishing what can be purged now, what can be purged later, what should be stored differently, and how information should be organized moving forward. Organizations need to ask questions like the following.

  • How long should certain types of records be retained and where?
  • Do we have physical files (i.e., those old filing cabinets in human resources), and how are they protected?
  • Is sensitive information with a limited need for immediate access being stored on devices connected to the Internet?
  • What regulations, such as General Data Protection Regulation, impact how data is managed?
  • What types of information do we collect on a regular basis, and how do we prioritize data?

These questions can help shape the goals of the organization and shed light on current practices. Employee education and training is needed for any changes made to data retention policies, as effective implementation will likely require more than a notification about an updated policy.


Minimizing the amount of data being actively stored better allows organizations to protect the information they do have to retain. Inform clients about the data retention policy in place, and provide information on how it can be accessed or obtained. Keep a record of what has been audited, destroyed (in a forensically sound manner), and/or relocated. Include a data auditing schedule as part of the policy, and keep the protocol up to date with legal requirements and best practices. It is also important to communicate regularly with third-party vendors regarding their cyber-security postures, access controls, and data retention policies.

While organizations and firms may always be tasked with gathering and storing large amounts of data, including personally identifying information, data retention policies can be key in managing the risks of a data breach. Current data inventories allow for quick identification and access to assets, and an auditing schedule helps an organization stay on track. Relevant laws and regulations guide the structure of a data retention policy; encryption, data anonymization, and abiding by best cyber-security practices are important in most effectively protecting a company's digital assets.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.