← Glossary·Data

Data Retention Policy

GDPRHIPAASOC 2ISO 27001

Documented schedule for how long each data category is retained and how it is securely disposed of.

A Data Retention Policy defines, per data category, how long records are retained, the legal/business justification, and the method of secure disposal at end of life. Most frameworks require both a written policy and operational evidence of deletion.

Why it matters
‘Keeping everything forever’ is a GDPR storage-limitation violation (Art. 5(1)(e)) and expands breach blast radius. Aggressive deletion is itself a control.

Related terms

Data Minimisation
GDPR Art. 5(1)(c) principle: personal data must be adequate, relevant, and limited to what is necessary.
Purpose Limitation
GDPR Art. 5(1)(b): personal data must be collected for specified, explicit, legitimate purposes and not further processed incompatibly.
GDPR
EU regulation governing processing of personal data of EU/EEA data subjects; fines up to €20M or 4% of global turnover.

Does your program actually cover Data Retention Policy?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary