Most small and mid-sized businesses in Utah don’t have a formal data retention policy. They keep everything forever, scattered across email inboxes, shared drives, old laptops, and cloud storage accounts that nobody audits.

It feels safe. If you never delete anything, you’ll always have it when you need it — right?

Not exactly. Keeping data indefinitely creates real problems. Storage costs grow unchecked. Sensitive customer information sits in forgotten folders. If you’re ever involved in litigation, every email and file you’ve hoarded becomes potentially discoverable. And if a breach happens, the more data you have, the bigger the damage.

A data retention policy fixes this. It tells your team what to keep, how long to keep it, and when to securely delete it. It’s not complicated, but it does require some thought — and most businesses put it off until something goes wrong.

What a Data Retention Policy Actually Is

A data retention policy is a documented set of rules that governs the lifecycle of your business data. It covers three core questions:

What data do we collect and store? This includes everything from customer records and financial documents to email correspondence, contracts, employee files, and system logs.

How long do we need to keep it? Some data has legally mandated retention periods. Other data has business value that diminishes over time. Your policy defines specific timeframes for each category.

How do we dispose of it securely? Deleting a file from your desktop doesn’t mean it’s gone. Proper data disposal includes secure deletion from all storage locations, backups, and archives.

Think of it as a lifecycle: data is created or received, stored and protected during its useful life, and then securely destroyed when it’s no longer needed.

Why Utah Businesses Need One

If you’re a Utah business owner, you might assume data retention is something only large enterprises or healthcare companies worry about. That’s not the case. Here’s why it matters for you:

Legal and regulatory requirements. Federal tax records must be kept for at least 7 years. If you handle any healthcare data, HIPAA requires 6 years. If you process credit cards, PCI DSS has its own retention rules. Employment records, contracts, and corporate documents all have specific holding periods under state and federal law.

Litigation and legal discovery. If your business is ever involved in a lawsuit, the other side can request all relevant documents. If you’ve been hoarding years of emails and files without a policy, the scope of what you need to produce — and review — expands dramatically. A documented retention policy that predates the dispute shows you weren’t selectively deleting evidence.

Breach liability. Every piece of sensitive data you store is a potential liability in a breach. Customer Social Security numbers from a project you completed three years ago don’t need to live on a shared drive. The less sensitive data you retain beyond its useful life, the less damage a breach can cause.

Storage costs. Data storage isn’t free, especially when you factor in backup costs, cloud storage tiers, and the time your team spends searching through cluttered file systems. A retention policy naturally keeps your storage footprint manageable.

Common Retention Periods You Should Know

Here’s a practical reference for common data types and their typical retention requirements:

Financial records: Tax returns, supporting documents, bank statements, and general ledger data should be kept for 7 years per IRS guidelines. Some accountants recommend longer for certain asset records.

Employee records: Payroll records for 3 years (FLSA), I-9 forms for 3 years after hire or 1 year after termination (whichever is later), benefits records for 6 years (ERISA).

Contracts and agreements: Keep for the duration of the contract plus 6–7 years after expiration, depending on your state’s statute of limitations for contract disputes.

Customer data: Only as long as there’s a legitimate business purpose. Once a customer relationship ends and any warranty or service obligations expire, their personal data should be scheduled for deletion.

Email and correspondence: General business email can typically be purged after 2–3 years. Emails related to contracts, legal matters, or compliance should follow those specific retention schedules.

System logs and backups: Security logs are typically retained for 1 year. Backup copies should follow the same retention schedule as the source data — if the source data is deleted, the backup should eventually cycle out too.

How to Build Your Retention Policy: A Practical Approach

You don’t need a legal team or a compliance consultant to get started. Here’s a straightforward process:

Step 1: Inventory your data. List every type of data your business creates or receives. Include digital files, emails, paper documents, cloud storage, and data held by third-party services. You can’t manage what you don’t know about.

Step 2: Identify legal requirements. For each data category, research the applicable federal, state, and industry retention requirements. Your accountant and attorney can help with the specifics. When multiple requirements apply, use the longest retention period.

Step 3: Set retention periods. For data without legal requirements, set a reasonable business retention period. Ask: “If we needed this data two years from now, would we realistically use it?” If not, it probably doesn’t need to be kept that long.

Step 4: Define disposal procedures. Specify how each data type should be destroyed. Digital files should be securely deleted (not just moved to the Recycle Bin). Hard drives should be wiped or physically destroyed. Paper documents should be cross-cut shredded. Cloud data should be deleted from all synced locations.

Step 5: Document and communicate. Write the policy down. It doesn’t need to be long — a two-page document with a table of data categories and retention periods is often sufficient. Share it with your team and make sure they know where to find it.

Step 6: Automate where possible. Microsoft 365 retention labels can automatically archive or delete emails and SharePoint documents on schedule. Cloud backup tools can age out old snapshots. The less your team has to remember manually, the more consistently the policy gets followed.

Common Mistakes to Avoid

Keeping everything forever. This is the default for most businesses, and it’s the most expensive mistake. Unlimited retention means unlimited liability.

Deleting too aggressively. The opposite extreme is also risky. If you destroy records that are still within their required retention period, you face regulatory penalties — and in litigation, the inference that you were hiding something.

Ignoring backups. Your retention policy needs to account for backup copies. If you delete a file from your server but it lives on in a backup snapshot for another 5 years, it’s not really deleted.

Not training your team. A policy nobody follows isn’t a policy. Make sure employees understand what they should and shouldn’t delete, and where to save files that need long-term retention.

Forgetting about third-party services. Data stored in SaaS platforms, CRM tools, cloud storage, and vendor systems is still your responsibility. Your retention policy should cover data held by third parties and include provisions for requesting deletion when retention periods expire.

How Brivy IT Helps

Building a data retention policy is a business decision, but implementing it is an IT project. That’s where we come in.

Brivy IT works with Utah businesses to set up the technical infrastructure that makes retention policies actually work. That includes configuring Microsoft 365 retention labels and policies, setting up automated backup rotation schedules, implementing secure data disposal procedures, and documenting everything so your team can follow it consistently.

We also help with the data inventory step — mapping out where your business data actually lives across email, file shares, cloud storage, and third-party platforms. For many of our clients, this initial discovery is the most valuable part of the process because it reveals data they didn’t know they were storing.