Data Retention Policy
DATA RETENTION POLICY
[ORGANIZATION NAME]
Policy Number: [POL-DATA-001]
Effective Date: [DATE]
Last Reviewed: [DATE]
Next Review Date: [DATE]
Policy Owner: [Chief Privacy Officer / Chief Information Officer]
Approved By: [Executive/Board]
1. PURPOSE
1.1 Policy Purpose
This Data Retention Policy establishes requirements for retaining and disposing of data and records to:
- Ensure compliance with legal and regulatory requirements
- Support business operations and continuity
- Protect organizational interests in potential litigation
- Minimize data storage costs and security risks
- Support privacy principles of data minimization
- Meet data subject rights requirements under privacy laws
1.2 Guiding Principles
☐ Retain only what is necessary - Data should be retained only as long as required for business, legal, or regulatory purposes
☐ Know what you have - All data must be classified and inventoried
☐ Delete when no longer needed - Data must be securely disposed of when retention periods expire
☐ Protect during retention - Data must be appropriately protected during its lifecycle
☐ Document retention decisions - Retention periods and exceptions must be documented
2. SCOPE
2.1 Applicability
This policy applies to:
☐ All employees, contractors, and third parties handling organizational data
☐ All data created, received, maintained, or transmitted by [ORGANIZATION NAME]
☐ All data formats including:
- Electronic documents and files
- Paper documents
- Emails and communications
- Databases and systems
- Backup media
- Cloud-stored data
- Third-party hosted data
2.2 Data Types Covered
☐ Business records
☐ Financial records
☐ Human resources records
☐ Customer data
☐ Personal data (PII/PHI)
☐ Contracts and legal documents
☐ Communications (email, messaging)
☐ Marketing materials
☐ Technical documentation
☐ Security logs and audit trails
3. ROLES AND RESPONSIBILITIES
3.1 Data Governance Roles
| Role | Responsibilities |
|---|---|
| Executive Sponsor | Policy approval, resource allocation |
| Chief Privacy Officer / DPO | Privacy compliance, retention oversight |
| Legal / General Counsel | Legal hold management, regulatory compliance |
| Records Manager | Policy implementation, retention schedule maintenance |
| IT / Data Management | Technical implementation, secure disposal |
| Data Owners | Classification, retention decisions for owned data |
| All Employees | Compliance with policy, reporting concerns |
3.2 Data Owners
Data owners are responsible for:
☐ Classifying data under their control
☐ Determining appropriate retention periods within policy guidelines
☐ Ensuring timely disposal when retention periods expire
☐ Responding to legal holds affecting their data
4. DATA CLASSIFICATION
4.1 Classification Levels
| Classification | Description | Examples |
|---|---|---|
| Public | Information approved for public release | Marketing materials, public website content |
| Internal | General business information | Internal communications, policies |
| Confidential | Sensitive business information | Financial reports, business plans, vendor contracts |
| Restricted | Highly sensitive information | PII, PHI, trade secrets, executive communications |
4.2 Classification Requirements
☐ All data must be classified according to the above levels
☐ Classification should occur at data creation or acquisition
☐ Default classification for unclassified data: Internal
☐ Data owners may upgrade but not downgrade classifications
5. RETENTION SCHEDULE
5.1 Corporate and Business Records
| Record Type | Retention Period | Legal Basis | Disposition |
|---|---|---|---|
| Corporate formation documents | Permanent | State corporate law | Archive |
| Board meeting minutes | Permanent | Corporate governance | Archive |
| Annual reports | Permanent | SEC, corporate law | Archive |
| Business plans and strategies | 7 years after superseded | Business need | Secure destruction |
| Policies and procedures | 7 years after superseded | Audit, compliance | Secure destruction |
| Contracts (executed) | 7 years after expiration/termination | Statute of limitations | Secure destruction |
| Contracts (not executed) | 3 years | Business need | Secure destruction |
| Insurance policies | Permanent | Claims management | Archive |
| Licenses and permits | 7 years after expiration | Regulatory | Secure destruction |
5.2 Financial and Accounting Records
| Record Type | Retention Period | Legal Basis | Disposition |
|---|---|---|---|
| General ledger | Permanent | SEC, IRS | Archive |
| Annual financial statements | Permanent | SEC, audit | Archive |
| Accounts payable/receivable | 7 years | IRS, SOX | Secure destruction |
| Bank statements | 7 years | IRS, audit | Secure destruction |
| Tax returns and supporting docs | 7 years | IRS (IRC Section 6501) | Secure destruction |
| Payroll records | 7 years | IRS, FLSA | Secure destruction |
| Expense reports | 7 years | IRS, audit | Secure destruction |
| Purchase orders | 7 years | IRS, audit | Secure destruction |
| Invoices | 7 years | IRS, audit | Secure destruction |
| Audit reports (external) | Permanent | SEC, audit | Archive |
| Audit reports (internal) | 7 years | Audit | Secure destruction |
5.3 Human Resources Records
| Record Type | Retention Period | Legal Basis | Disposition |
|---|---|---|---|
| Personnel files | 7 years after termination | EEOC, state laws | Secure destruction |
| Applications (hired) | 7 years after termination | EEOC | Secure destruction |
| Applications (not hired) | 2 years | EEOC | Secure destruction |
| I-9 forms | 3 years after hire OR 1 year after termination (whichever later) | IRCA | Secure destruction |
| Performance reviews | 7 years after termination | Employment litigation | Secure destruction |
| Disciplinary records | 7 years after termination | Employment litigation | Secure destruction |
| Benefits records | 7 years after termination | ERISA | Secure destruction |
| Training records | 7 years after termination | OSHA, compliance | Secure destruction |
| Workers' compensation | 10 years after claim closed | State WC laws | Secure destruction |
| OSHA records | 5 years | OSHA | Secure destruction |
| EEO-1 reports | 3 years | EEOC | Secure destruction |
5.4 Customer and Sales Records
| Record Type | Retention Period | Legal Basis | Disposition |
|---|---|---|---|
| Customer master records | Active + 7 years after last transaction | Business need, tax | Secure destruction |
| Sales orders | 7 years | Tax, audit | Secure destruction |
| Customer contracts | 7 years after expiration | Statute of limitations | Secure destruction |
| Customer correspondence | 3 years after relationship ends | Business need | Secure destruction |
| Customer complaints | 5 years after resolution | Regulatory, litigation | Secure destruction |
| Marketing consent records | Duration of consent + 5 years | CCPA, GDPR, CAN-SPAM | Secure destruction |
| Opt-out records | Indefinite (maintain suppression list) | CAN-SPAM, TCPA | Maintain |
5.5 Personal Data (Privacy-Specific)
| Data Type | Retention Period | Legal Basis | Special Requirements |
|---|---|---|---|
| Customer PII | As long as necessary for disclosed purpose + legal requirements | CCPA, state privacy laws | Document purpose, honor deletion requests |
| Employee PII | Per HR retention schedule | Privacy laws, employment | Secure handling required |
| Marketing/analytics data | 2 years from collection (unless consent renewed) | Privacy laws | Honor opt-outs |
| Website visitor data | 13 months | Privacy laws, analytics | Cookie consent required |
| Data subject request records | 3 years after request completion | CCPA, GDPR | Document response |
5.6 Legal and Compliance Records
| Record Type | Retention Period | Legal Basis | Disposition |
|---|---|---|---|
| Litigation files | 7 years after final resolution | Legal | Secure destruction |
| Regulatory correspondence | 10 years | Regulatory | Secure destruction |
| Compliance audit records | 7 years | Compliance | Secure destruction |
| Privacy impact assessments | 7 years | Privacy laws | Secure destruction |
| Data breach records | 7 years | Privacy laws, litigation | Secure destruction |
| Consent records | Duration of consent + 5 years | Privacy laws | Secure destruction |
5.7 IT and Security Records
| Record Type | Retention Period | Legal Basis | Disposition |
|---|---|---|---|
| Security logs (authentication) | 1 year minimum, 3 years recommended | PCI-DSS, compliance | Secure destruction |
| Security logs (network) | 90 days minimum, 1 year recommended | Compliance, forensics | Secure destruction |
| Security incident records | 7 years | Compliance, litigation | Secure destruction |
| System backups | Per backup policy (typically 30-90 days) | Business continuity | Secure destruction |
| Disaster recovery records | Current + 1 prior version | Business continuity | Secure destruction |
| Change management records | 3 years | Compliance, audit | Secure destruction |
| Asset inventories | Current + 3 years | Audit, compliance | Secure destruction |
5.8 Healthcare Records (HIPAA - if applicable)
| Record Type | Retention Period | Legal Basis | Disposition |
|---|---|---|---|
| Medical records (adults) | 6 years from last treatment (or longer per state law) | HIPAA, state laws | Secure destruction |
| Medical records (minors) | Until age of majority + state requirement | HIPAA, state laws | Secure destruction |
| HIPAA policies | 6 years | HIPAA 45 CFR 164.530(j) | Secure destruction |
| Patient authorizations | 6 years | HIPAA | Secure destruction |
| Business associate agreements | 6 years after termination | HIPAA | Secure destruction |
| Risk assessments | 6 years | HIPAA | Secure destruction |
| Training records | 6 years | HIPAA | Secure destruction |
| Incident/breach records | 6 years | HIPAA | Secure destruction |
6. LEGAL HOLDS
6.1 Legal Hold Definition
A legal hold (also known as litigation hold or preservation order) suspends the normal retention schedule and prevents destruction of potentially relevant data when:
☐ Litigation is reasonably anticipated or pending
☐ Government investigation or audit is underway
☐ Regulatory inquiry is received
☐ Internal investigation requires preservation
6.2 Legal Hold Process
6.2.1 Initiation
☐ Legal department initiates legal holds
☐ Legal hold notice identifies:
- Scope of data to be preserved
- Affected custodians and systems
- Duration of hold
- Contact for questions
☐ Legal holds take precedence over retention schedules
6.2.2 Compliance
☐ All recipients must acknowledge receipt of legal hold
☐ Recipients must preserve all data described in the hold
☐ Auto-deletion must be suspended for affected data
☐ Questions should be directed to Legal
6.2.3 Release
☐ Only Legal can release a legal hold
☐ Written notification of release will be provided
☐ Normal retention schedule resumes after release
☐ Data past retention period may be destroyed after release
6.3 Consequences of Violation
Failure to comply with a legal hold may result in:
☐ Disciplinary action
☐ Adverse legal consequences (spoliation sanctions)
☐ Monetary penalties
☐ Criminal liability
7. DATA DISPOSAL
7.1 Disposal Methods
7.1.1 Electronic Data
| Data Classification | Approved Disposal Method |
|---|---|
| Public | Standard deletion |
| Internal | Secure deletion (overwrite) |
| Confidential | Secure deletion (3-pass overwrite) or degaussing |
| Restricted | Secure deletion (7-pass overwrite), degaussing, or physical destruction |
7.1.2 Physical Media
| Media Type | Approved Disposal Method |
|---|---|
| Paper documents | Cross-cut shredding |
| Hard drives | Degaussing and/or physical destruction |
| SSDs | Cryptographic erasure or physical destruction |
| Optical media (CD/DVD) | Shredding |
| Magnetic tape | Degaussing and/or physical destruction |
| Mobile devices | Factory reset + destruction (if sensitive) |
7.2 Disposal Requirements
☐ Disposal must be documented (certificate of destruction)
☐ Third-party disposal vendors must be approved and contracted
☐ Certificates of destruction must be retained for 3 years
☐ Disposal of Restricted data requires witness verification
7.3 Cloud Data Disposal
☐ Request deletion from cloud provider
☐ Obtain confirmation of deletion
☐ Verify deletion of backups per provider's schedule
☐ Consider cryptographic erasure where available
8. BACKUP AND ARCHIVAL
8.1 Backup Retention
| Backup Type | Retention Period |
|---|---|
| Daily incremental | 30 days |
| Weekly full | 90 days |
| Monthly full | 1 year |
| Annual archive | Per record retention schedule |
8.2 Archive Distinction
☐ Archives are for long-term preservation of records with ongoing value
☐ Backups are for disaster recovery, not long-term retention
☐ Records requiring long retention should be archived separately
☐ Archive access should be restricted and audited
9. THIRD-PARTY DATA
9.1 Third-Party Requirements
☐ Third parties must follow this retention policy for data processed on our behalf
☐ Data processing agreements must include retention requirements
☐ Third parties must return or destroy data upon contract termination
☐ Certificates of destruction required from third parties
9.2 Third-Party Data Received
☐ Third-party data received should be retained only as necessary
☐ Third-party restrictions on retention must be followed
☐ Destruction timelines in agreements must be honored
10. COMPLIANCE AND MONITORING
10.1 Compliance Monitoring
☐ Regular audits of retention compliance
☐ Review of disposal records
☐ Verification of legal hold compliance
☐ Third-party compliance verification
10.2 Policy Review
☐ Annual review of retention schedules
☐ Updates for new regulations or business changes
☐ Legal counsel review of significant changes
10.3 Exceptions
☐ Exceptions require documented approval from Records Manager and Legal
☐ Exceptions must include business justification
☐ Exceptions must have defined end dates
☐ Exception register maintained
11. ENFORCEMENT
11.1 Compliance Responsibility
☐ All employees are responsible for complying with this policy
☐ Data owners responsible for data under their control
☐ IT responsible for technical implementation
☐ Legal responsible for legal hold management
11.2 Violations
Violations of this policy may result in:
☐ Disciplinary action
☐ Legal liability
☐ Regulatory penalties
12. DEFINITIONS
| Term | Definition |
|---|---|
| Archive | Storage of records for long-term preservation |
| Backup | Copy of data for disaster recovery purposes |
| Data Owner | Person accountable for a set of data |
| Legal Hold | Suspension of retention schedule due to legal requirements |
| Personal Data | Information relating to an identifiable individual |
| Retention Period | Length of time records must be maintained |
| Secure Destruction | Disposal method that prevents data recovery |
APPENDIX A: QUICK REFERENCE RETENTION CHART
| Record Category | General Retention | Key Considerations |
|---|---|---|
| Corporate governance | Permanent | Archive |
| Financial/Tax | 7 years | IRS requirements |
| HR/Personnel | 7 years after termination | EEOC, state laws |
| Contracts | 7 years after expiration | Statute of limitations |
| Customer data | Purpose + legal requirements | Privacy laws apply |
| Security logs | 1-3 years | Compliance requirements |
| Email (general business) | 3-7 years | Litigation risk |
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
APPROVAL
| Role | Name | Signature | Date |
|---|---|---|---|
| Chief Privacy Officer | |||
| General Counsel | |||
| CIO | |||
| CEO |
This policy is the property of [ORGANIZATION NAME]. Questions should be directed to the Records Manager at [EMAIL].
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026