Data Retention

Legal and Business Data Archival Requirements Have Become A Challenge

With ongoing digitalization and growing data volumes, companies have to comply with an increasing number of legal and business data archival requirements. These so-called data retention requirements can stem from:

  • General purpose regulations (e.g. trade and tax regulations)
  • Domain specific regulations (e.g., PCI DSS, REACH, GDPR)
  • International standards (e.g., ISO 9001 and 27001)
  • Internal guidelines (e.g. for version control).

Thus, creating and maintaining a data retention policy has become a very labor-intensive and complex task. Because non-compliance with data retention regulations can result in the imposition of significant fines, data retention is not just a matter for IT and specific business functions, but a business consideration with potentially significant financial impact if companies fail to do it right.

The Sharing Economy Helps to Keep Up with Data Retention Requirements

Each company must create a data retention policy. But in reality, most data retention requirements are the same for all companies. This is exactly why it makes sense that companies work together on this topic. Our vision is to expand our Data Sharing Community with the topic of data retention and give companies the opportunity to share the workload and benefit from the knowledge of others. We know that this approach can work, because years ago within the Competence Center Corporate Data Quality we started a similar research project with the idea of collaboratively maintaining customer and vendor data. Today this idea of Data Sharing is an existing service used by companies as Bayer, Bosch, Siemens, Lanxess, Novartis, Nestle and Schaeffler.

The Focus Group Works on Vocabulary and Business Rules for Critical Data Retention Requirements

To address this topic, our researcher Clément Labadie is leading a focus group "Data Retention" and invites interested companies to join these efforts.

Over the course of several working sessions, participants will work collaboratively on the following tasks:

  • Identify critical data retention requirements that are valid for most companies
  • Agree on a vocabulary and standard structure to document these requirements (metamodel)
  • Translate requirements into actionable business rules

The result will be a systematic approach to translate data retention requirements into a structured notation and actionable business rules. This approach will be illustrated by specific examples tackled by the working group covering data retention requirements from various domains (e.g., internal guidelines, tax & accounting records, safety records, HR records, legal records…).

How to Join this Initiative?

Usually each company must create and maintain a data retention policy. Therefore, each company must identify and classify the information the organization holds and know all the legal and business requirements that apply. By joining this initiative, you become part of an forward-thinking group. Collaboratively we design business rules for data retention that can be used as foundation for your individual data retention policy and help you create and maintain data retention rules. The meetings are held as online meetings.

If you would like to be part of the Focus Group Data Retention, please contact Clément Labadie.


Definition: Data Retention, also called records retention, is the storage of enterprise’s data for compliance or business reasons. The retention periods differ based on the type of information processed, the purpose of processing or other factors.

A data retention policy consists of guidelines that describes which data will be archived and how long it will be kept. This helps to reduce the organization's storage costs by only keeping data that needs to be kept and to comply with legal requirements.

A company retains data for several reasons:

  • to comply with local, national, and international regulations of the different legal entities that typically range from three years to permanent.
    Examples are:
    • Employment law
    • Administrative law
    • Trade law
    • Tax law
  • to provide the organization with the ability to recover business critical data in the event of a data loss (caused by e.g. a fire) and data history

The stored information should be organized in such a way that it can be easily found and made available later. Furthermore, it should be possible to delete data that is no longer needed without risk. Usually companies establish a data retention policy to ensure that all necessary data is stored properly. Some companies use a Data-Retention-Management System (DRMS) to manage their retention processes. They manage a variety of information and overviews, for example on data types, document types, retention periods, classes and rules, deletion restrictions and rules as well as authorizations and roles.

Typical activities to implement a data retention policy include:

  • Define reference dates for legal grounds
  • Define business purpose for different data types and different legal entities
  • Define retention rules for each business purpose

Date retention is required for multiple data domains. Typical data examples that require data retention are:

  • Tax and accounting records
  • Environmental records
  • Communications records
  • Customer records
  • Payroll and salary records
  • Purchasing records
  • HR records
  • Legal files and contracts
  • Safety records
  • Pictures and videos
  • Productions recrods
  • Location data

This data is usually stored in different systems. These may include:

  • different systems (on premise or cloud-based)
  • third party servers
  • email accounts
  • desktops
  • employee-owned device
  • backup storage; and/or
  • paper files
Go to top