Data Retention
What is Data Retention?
Data RetentionThe policies and controls that define how long different categories of data are kept and when they are securely deleted, archived, or anonymized.
Data retention defines maximum and, where applicable, minimum periods for which personal and business data is stored, balancing legal obligations (tax, employment, telecom data retention directives, e-discovery holds) against the GDPR Article 5(1)(e) storage limitation principle. Programs maintain a retention schedule by data category and jurisdiction, automate deletion in primary stores, backups, archives, logs, and AI training corpora, and document destruction in audit trails. Legal holds and ongoing investigations override standard schedules, while shorter periods support data minimization and reduce DSAR scope and breach blast radius. Common references include ISO/IEC 27001 Annex A.5.33, SOX, HIPAA, and sector regulators such as financial supervisors and telecoms authorities.
● Examples
- 01
Deleting marketing-event leads automatically after 24 months of inactivity.
- 02
Holding accounting records for ten years in line with national tax law before secure destruction.
● Frequently asked questions
What is Data Retention?
The policies and controls that define how long different categories of data are kept and when they are securely deleted, archived, or anonymized. It belongs to the Privacy & Data Protection category of cybersecurity.
What does Data Retention mean?
The policies and controls that define how long different categories of data are kept and when they are securely deleted, archived, or anonymized.
How does Data Retention work?
Data retention defines maximum and, where applicable, minimum periods for which personal and business data is stored, balancing legal obligations (tax, employment, telecom data retention directives, e-discovery holds) against the GDPR Article 5(1)(e) storage limitation principle. Programs maintain a retention schedule by data category and jurisdiction, automate deletion in primary stores, backups, archives, logs, and AI training corpora, and document destruction in audit trails. Legal holds and ongoing investigations override standard schedules, while shorter periods support data minimization and reduce DSAR scope and breach blast radius. Common references include ISO/IEC 27001 Annex A.5.33, SOX, HIPAA, and sector regulators such as financial supervisors and telecoms authorities.
How do you defend against Data Retention?
Defences for Data Retention typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Data Retention?
Common alternative names include: Records Retention, Storage Limitation.
● Related terms
- privacy№ 276
Data Classification
The process of labeling data by sensitivity and value so that the right protection, handling, and retention controls can be applied consistently.
- privacy№ 280
Data Minimization
A privacy principle requiring organizations to collect, process, and retain only the personal data that is strictly necessary for a defined, lawful purpose.
- privacy№ 283
Data Residency
The requirement that data is physically stored and, in some interpretations, processed within a specific country or region, often driven by contracts, customer demands, or sector regulation.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- privacy№ 856
Privacy by Design
An engineering and governance approach that embeds privacy considerations into systems, processes, and defaults from the earliest design stages rather than bolting them on later.
- privacy№ 932
Right to Be Forgotten
The right of an individual to obtain the erasure of personal data concerning them when there is no overriding legal reason to keep processing it, under GDPR Article 17.