What is a Data Retention Schedule?
A data retention schedule is a comprehensive policy document that categorizes all the data and records an organization produces or collects. For each category, it establishes a specific lifespan.
By defining these lifespans, the schedule provides explicit instructions to employees and IT systems on when to archive data and, critically, when to permanently delete or destroy it to comply with data minimization principles.
The Legal and Regulatory Basis for Retention
Retention periods cannot be arbitrary. They must be grounded in business necessity or legal requirements. Different types of data have different statutory requirements based on local laws and industry regulations.
For example, tax records and financial data often must be kept for several years to satisfy audit requirements, while unhired candidate resumes should generally be deleted shortly after a position is filled to comply with privacy laws like the GDPR.
Key Components of a Retention Policy
An effective schedule outlines the record category (e.g., HR, Finance, IT), a description of the data, the required retention period (e.g., 'Creation + 7 years'), and the trigger event that starts the clock (e.g., 'Employee Termination').
It must also specify the legal citation justifying the retention period and the approved method of secure disposal once the period ends.
Managing Legal Holds and Disposition Logs
A critical exception to the schedule is a 'legal hold'. If litigation or an investigation is anticipated, all relevant data destruction must be suspended immediately, regardless of the retention schedule.
When data finally reaches the end of its lifecycle, its destruction must be documented in a Data Disposition Log. This log serves as proof to auditors and regulators that the organization actively enforces its retention policy and securely eliminates data.
Frequently asked questions
Why is keeping data forever a bad idea?
Keeping data indefinitely increases storage costs, complicates e-discovery during litigation, and drastically increases liability in the event of a data breach, directly violating the 'storage limitation' principle of laws like the GDPR.
Who is responsible for the retention schedule?
It is typically a cross-functional effort led by the Data Protection Officer (DPO) or Legal counsel, supported by IT for technical implementation and department heads for categorizing specific records.
What happens if two laws have conflicting retention periods?
As a general rule, an organization should retain the data for the longest mandatory period required by law, ensuring compliance with all applicable statutes before destruction.
How does a legal hold affect the retention schedule?
A legal hold overrides the standard retention schedule. Any data subject to the hold must be preserved and protected from automatic or manual deletion until the legal hold is officially lifted.