Why keeping data forever is a liability
Every record you keep is data you must protect — and, under GDPR, data you must justify keeping. A data retention policy defines how long each category of data is kept and how it is securely deleted, reducing both your breach exposure and your compliance risk.
What to include
- Scope — data categories covered (customer, HR, financial, logs, backups).
- Retention periods — how long each category is kept, tied to legal, contractual and business needs.
- Legal basis — the obligation or justification behind each period (GDPR storage-limitation principle).
- Deletion — secure, documented deletion when the period ends, including backups.
- Holds — how legal holds suspend deletion when required.
- Responsibilities — who owns retention decisions and enforcement.
- Review — periodic update as obligations change.
Common mistakes
- "Keep everything forever," which maximises breach impact and breaches GDPR.
- Retention periods with no legal basis recorded.
- Forgetting backups, where data lives on after deletion from production.
Framework alignment
Supports ISO 27001:2022 Annex A 5.33 (protection of records) and 8.10 (information deletion), the SOC 2 criteria, and the GDPR storage-limitation principle.