Data Management Policy

1. Purpose

This policy sets out how [Company Name] manages data across its lifecycle — capture, store, use, share, archive, destroy — in line with applicable law, contractual obligations and the DAMA-DMBOK knowledge areas.

2. Scope

Applies to all data created, received or held by [Company Name] in any format.

3. Roles

4. Lifecycle

[Company Name] manages data through the following stages: capture, classify, store, use, share, archive, and securely destroy. Each stage has documented controls in supporting procedures.

5. Retention

Data is retained only as long as needed for the purpose for which it was collected, the applicable legal retention minimum, or [Company Name]'s defined default retention of [Default Retention Period]. The Records Retention Schedule is the authoritative source.

6. Storage and golden sources

Each data domain has a designated golden source. Copies for analytics or reporting are clearly marked and not used for transactional decisions.

7. Sharing

Data is shared with third parties only under a written Data Sharing Agreement that sets out purpose, lawful basis (where personal data), security requirements, term and termination.

8. Cross-border transfers

Cross-border transfers of personal data use one of: adequacy, the UK Addendum to the SCCs, the IDTA, or BCRs — supported by a Transfer Risk Assessment.

9. Secure disposal

Data and the media holding it are destroyed in line with the Data Disposal Procedure: paper shredded to DIN P-4 or higher, electronic media wiped to NIST SP 800-88 standards, cloud objects deleted with a documented certificate of destruction where contractually available.

10. Audit

Compliance with this policy is assessed at least annually as part of the internal audit programme.

Approved by: [Company Owner] Effective date: [Effective Date] Next review: [Review Date]