A data retention policy defines how long an organisation keeps each type of record or data, and when and how it must be securely deleted or destroyed.
A data retention policy is a document that defines how long an organisation keeps each type of record or data, and when and how that data must be securely deleted or destroyed once the period ends. It answers two questions that otherwise get answered by accident: “why do we still have this?” and “who said we could delete that?”. In practice it sits alongside the wider asset management policy, because the data it governs lives on the laptops, phones, and drives that policy tracks.
What a data retention policy covers
A usable policy is a table, not an essay. For each category of record it states:
- The record type - invoices, contracts, employee files, CCTV footage, email, customer data, system logs.
- The retention period - how long it is kept, and what starts the clock (creation, contract end, employee departure).
- The legal or business justification - the law, regulation, or operational need behind the period.
- The disposal method - secure deletion, data sanitization of the device, or physical destruction.
- The owner - who is accountable for the category and who executes the disposal.
How retention periods are set
Periods come from three directions. Statute sets minimums: financial and tax records typically carry mandatory periods of several years, and employment, payroll, and health records have their own rules depending on jurisdiction. Contracts and insurers may add requirements of their own. Everything else is a business judgement - and the honest default for data with no justification is “delete it”, not “keep it forever just in case”.
Retention and GDPR
For personal data, GDPR’s storage limitation principle turns retention from good housekeeping into a legal duty: personal data may be kept no longer than necessary for its purpose. That cuts both ways - the policy must justify keeping data, and it must also respect legal minimums that force you to keep some records even after a deletion request. The retention schedule is where those two pressures get reconciled, in writing, before a regulator or auditor asks.
What it means for retired devices
The part most policies under-specify is hardware. Every laptop, phone, or server that leaves service is a data-bearing device, and the records on it do not stop being governed by the policy just because the machine is in a cupboard. A retention policy with teeth says what happens at end of life: which devices must be sanitized before reuse or resale, which must be destroyed, and what evidence is kept - usually a certificate from an ITAD vendor or an internal wipe log tied to the device’s serial number. Teams that keep an asset register find this part easy to evidence; in AMPthilly, the audit history and attached documents on each asset record give you a per-device trail showing when it was retired and what proof of disposal exists.
Common mistakes
- Keeping everything forever. Storage is cheap, but old data is pure liability - it can be breached, subpoenaed, or subject to access requests long after it stopped being useful.
- A policy nobody executes. A schedule that says “delete after the period ends” with no named owner and no recurring task is shelfware.
- Forgetting copies. Exports, backups, shared-drive duplicates, and the drive in a leaver’s old laptop all outlive the “official” copy unless the policy addresses them.
- No disposal evidence. When asked to prove a record or device was destroyed, “we are pretty sure it was” is not an answer an auditor accepts.
Related terms
- Asset Management Policy - the wider policy governing the equipment the data lives on
- Acceptable Use Policy - the rules for how staff use the devices and data day to day
- ITAD - the disposal process that executes the policy at hardware end of life
- Data Sanitization - the methods used to make deletion permanent
- Data-Bearing Device - any asset that stores data and therefore falls under the policy