Data Retention Policy: How to Build One That Holds Up

Q: What is the difference between a data retention policy and a records retention policy?

Records retention typically refers to how long you keep formal business records—contracts, invoices, meeting minutes, regulatory filings. Data retention is broader and includes operational data, customer information, logs, and any data asset your organization holds. A records retention policy might be part of your broader data retention policy. The distinction matters because records are often subject to legal or regulatory requirements, while operational data may have business-driven retention periods. Most organizations merge them into a single policy.

Q: How long should we retain customer data?

Retention depends on your regulation and business model. In financial services, transaction records typically require 7 years for tax purposes. In healthcare, records are often 6 years from last treatment. In SaaS, you may retain customer data for 2–3 years after account closure to handle disputes and reactivation. GDPR limits you to keeping customer contact data only as long as necessary for your stated purpose. Start with regulatory requirements, layer in business justification, and document the resulting period.

Q: What happens if we receive a legal hold but don't know which systems have the data?

You have a serious compliance problem. A legal hold requires you to preserve relevant data, but if you don't know where data lives, you can't preserve it. The organization faces potential sanctions for failure to preserve. Before you need a legal hold, inventory all systems that hold data and document what each system contains. When a hold arises, you can quickly identify what to preserve.

Q: Can we retain data indefinitely if we don't know the retention period?

No. Indefinite retention is indefensible under most regulations. GDPR forbids it (storage limitation principle). US regulators expect organizations to know how long they keep data and to have a justification. If you can't determine a retention period, that's a data governance problem you must solve. The default cannot be "keep forever."

Q: How do we handle deletion if data exists in multiple systems?

Treat deletion as a multi-system process. Deleting from the primary system is the first step, but the record may exist in backups, archives, shadow systems, or third-party platforms. You must coordinate deletion across all systems where the data lives. Create a deletion workflow that includes: primary system deletion, backup deletion (after a grace period), archive deletion, and vendor notification. Document that all deletion was completed before marking the record as deleted.

Q: What if a retention period in our policy conflicts with litigation?

Litigation takes precedence. When a legal hold is issued, deletion stops. Normal retention rules are suspended. Data must be preserved until the hold is released, even if the retention period would normally allow deletion. Your policy should explicitly state this. Once litigation concludes and the hold is released, normal retention resumes, and you can delete data as if the retention period had never been interrupted.

Q: How does GDPR change our retention requirements?

GDPR imposes a stricter principle: storage limitation. You can keep data only as long as necessary for your stated purpose. This is often shorter than US regulatory retention periods. If US tax law requires 7-year retention but GDPR allows 3 years, the shorter period applies to EU residents' data. You may need different retention schedules for different geographies. GDPR also enables data subjects to request deletion (right to erasure), which may override your retention period if the data is no longer necessary.

Q: Should retention periods be the same for all customers or data subjects?

Generally yes, unless regulation requires otherwise. Your retention schedule should define retention by data category and regulation, not by individual. Some exceptions: litigation holds (customer-specific), GDPR deletion requests (person-specific), and VIP customers (business-specific). But the baseline should be consistent. If you have different retention for different customers, you create operational complexity and fairness issues.

Q: How do we prove to auditors that deletion actually happened?

Document the deletion process and produce evidence. Evidence includes: the retention schedule showing the record was eligible for deletion, a log showing the record was created or last modified before the retention period expired, a legal hold release showing no hold was active, and a deletion report showing the record was removed from the primary system and backups. If you can't produce this trail, deletion is not defensible.

A data retention policy is a documented set of rules defining how long your organization keeps data, when it can be deleted, and what triggers legal preservation. It’s the operational spine connecting compliance obligation to defensible deletion.

Introduction

I’ve built data retention policies for organizations ranging from 200 to 200,000 employees, and I can tell you the difference between one that survives audit and one that becomes a liability comes down to a single principle: operationalization. A retention policy that lives only in a PDF in SharePoint is not a policy—it’s a liability waiting to be discovered. A retention policy that’s wired into your systems, enforced through workflow, and auditable by exception is the kind that keeps you out of regulatory trouble.

The stakes are high. In 2023, the FTC began explicitly scrutinizing data retention practices under the Safeguards Rule, and GDPR enforcement has clarified that “we keep everything” is no longer a defensible posture. Regulatory bodies expect you to know, precisely, how long you keep each category of data, why you keep it that long, and evidence that deletion actually happens. If you can’t produce that evidence during an investigation, regulators assume you’re either incompetent or hiding something—neither helps your case.

Most organizations build retention policies in a vacuum: compliance and legal define retention periods in isolation, IT tries to implement them across a chaotic system landscape, and business units ignore the whole thing because it conflicts with their operational needs. The result is a policy that exists on paper but not in practice. When audit comes, the gap between the written policy and actual data practices creates exposure.

This article walks through how to build a retention policy that actually works—one that’s grounded in real compliance requirements, operationalized across your systems, and defensible when scrutinized. I’ve included the decisions you need to make, the stakeholders you need to involve, and the common failure modes I’ve watched organizations stumble into.

What a Data Retention Policy Must Cover

A retention policy is not just a list of how long you keep data. It’s a multi-layered document that addresses legal obligation, business justification, system implementation, and exception handling. If it doesn’t cover these dimensions, it will fail the moment an audit begins.

Scope and applicability. Your policy must clearly state what data it applies to. Does it cover all data? Personally identifiable information (PII) only? Both structured and unstructured data? Does it apply globally, or do different geographies have different rules? I’ve seen organizations define retention for “customer data” without distinguishing between transactional records, marketing preferences, and support logs—each with different legal retention requirements and deletion triggers. Be explicit about what’s in scope and what’s carved out (financial records, litigation holds, audit logs—these often have different rules).

Roles and responsibilities. Retention is not IT’s job alone. Your policy must define who owns retention decisions (compliance, legal, business), who implements them (IT, data engineering), who audits them (internal audit, data governance), and who handles exceptions (records management, legal). Vague ownership creates gaps. I’ve implemented policies where no one owned cross-system retention coordination, and the result was data deleted from one system but retained in a backup or shadow system—defeating the purpose entirely.

Retention periods by data category. This is the core of the policy. You must map each data category (customer records, transactions, logs, contracts, communications, etc.) to a specific retention period, and anchor each period to a regulation, business need, or legal opinion. Not a range (“3–7 years”). A period. I’ll come back to how to set these, but the policy document itself must make the justification transparent: “Customer transaction records: 7 years (tax audit statute of limitations); then delete.”

Legal hold procedure. Retention policies assume normal operations. Legal holds suspend deletion. Your policy must define how a legal hold is issued, what systems it affects, how it’s tracked, and when it expires. Many organizations have no documented legal hold procedure, which means when litigation arises, data destruction continues in parallel with preservation—a nightmare scenario. The procedure should include who can issue a hold (General Counsel only? Any attorney?), how it’s communicated to systems owners, and how compliance tracks it.

Deletion and destruction standards. How is data actually deleted? Does “delete” mean removal from the primary system, or does it require overwriting, encryption-key destruction, or physical destruction of media? Your policy should specify the standard (e.g., “deletion from operational systems plus removal from all backups within 90 days”). Vague deletion language leaves room for interpretation—and for auditors to claim data wasn’t really deleted.

Exceptions and escalation. Retention periods are guidelines, not absolutes. Business requests for longer retention, compliance holds, third-party data requests, and regulatory investigations all require exception handling. The policy should outline how exceptions are requested, who approves them, and how they’re tracked separately from standard retention.

Review and update cadence. Regulations change. Business needs evolve. Your policy should specify how often it’s reviewed (annually, at minimum) and by whom. I’ve seen policies that were compliant in 2019 become non-compliant by 2023 simply because no one reviewed them when new regulations took effect.

Setting Retention Periods by Data Type and Regulation

This is where the rubber meets the road. Retention periods aren’t arbitrary—they’re driven by regulation, litigation risk, and business need. But translating those drivers into a concrete data retention schedule is where many organizations stumble.

Start with the regulatory baseline. Different data types have different regulatory retention requirements. Tax records typically require 7 years (IRS statute of limitations). Consumer complaints require 3 years under FCRA. Employment records require 1 year under Fair Labor Standards Act. Healthcare data has a different baseline depending on the type of record and the entity. Financial institutions face GLBA requirements that vary by document type. Before you design anything, map your data categories to applicable regulations. This is tedious but non-negotiable—it’s your legal foundation.

Once you have the regulatory baseline, you layer in business need. Some organizations retain transaction data longer than legally required because it’s valuable for analytics, fraud investigation, or customer service. That’s legitimate—but it must be documented. I implemented a policy at a financial services firm where they retained mortgage documents for 10 years (vs. the 7-year legal minimum) because their servicing business needed that data for customer disputes. The extra 3 years was justified in the policy; during audit, the institution could explain why, and regulators accepted it.

The tricky part is balancing retention with data minimization. GDPR’s minimization principle says you shouldn’t keep data longer than necessary. Longer retention periods increase regulatory risk, liability exposure, and storage cost. Every additional year you retain data is an extra year it could be breached, stolen, or misused. I’ve worked with teams where business wanted to retain customer contact data “indefinitely” for reactivation campaigns, but that stretched minimization principles and created unnecessary liability. The solution was a compromise: active retention for 3 years, then archive-and-anonymize for 2 more, then delete. That gave business what they needed while respecting regulatory limits.

Create a data retention schedule matrix. Rows are data categories (customer records, transactions, logs, contracts, communications, etc.). Columns are: regulatory requirement, business justification, total retention period, deletion method, and owner. This becomes your policy’s appendix and your operational reference. When someone asks “how long do we keep this?” you have a single source of truth. When audit comes, you can produce this matrix and walk through the logic.

One practical note: retention periods should be defined by a trigger date, not a vague timeline. “Delete 7 years after record creation” is better than “delete after 7 years”—but “delete 7 years after the last transaction” is often more precise. In healthcare, it’s often “7 years from the date of last treatment.” In finance, “7 years from the close of the relevant fiscal year.” The trigger matters because it determines when deletion actually happens.

Legal Holds and Defensible Deletion

If you have a retention policy but no legal hold procedure, you don’t have a retention policy—you have a data destruction liability. Legal holds are the mechanism that suspends normal deletion when litigation, investigation, or regulatory action is foreseeable.

A legal hold is a preservation notice: it tells systems owners “stop deleting this data because it’s relevant to litigation or investigation.” In the US, the duty to preserve arises when you have notice of pending or foreseeable litigation (the standard is “reasonable anticipation” under Federal Rule of Civil Procedure 26(b)). In the EU, GDPR doesn’t use the term “legal hold,” but the principle is embedded in the Storage Limitation Principle—data needed for legal or compliance purposes may be retained longer.

Your policy must define a legal hold procedure with these elements:

Issuance. Who can issue a hold? Typically, General Counsel or the litigation team. The hold should identify the litigation or investigation, the categories of data affected, the systems involved, and the effective date. “We have a lawsuit” is not specific enough.

Scope. What data does the hold cover? This is harder than it seems. If you’re being sued by a customer, do you hold all their data, or just data relevant to the dispute? Do you hold all communications from executives potentially involved? All transactions within a date range? Broad holds create cost and operational friction; narrow holds risk missing relevant data. I’ve found that broad holds are preferable to narrow ones—the cost of retention is lower than the cost of adverse inference if relevant data is missing.

Communication. How do you get the hold to systems owners? Email is not enough. You need a formal record that IT, databases, backup systems, cloud platforms, and legal holds management teams all received notice. I’ve seen litigation proceed for months with email notifications floating around, and when opposing counsel asked “what’s your evidence of preservation?”, the organization had nothing but email threads. Create a legal hold tracker with a sign-off from each system owner confirming they received the hold and know what to preserve.

Tracking and expiration. How long is the hold active? When does it expire? Holds should be explicit and time-limited. “Hold until litigation resolves or until we tell you otherwise” is vague and creates perpetual retention. Better: “Hold until June 30, 2026, or until litigation concludes, whichever is earlier. General Counsel will confirm continuation by June 1.”

Defensible deletion, by contrast, is the ability to demonstrate that you deleted data in accordance with your retention policy and that no legal hold was in effect. This requires:

Evidence that you had a documented retention policy. This is table stakes. Without a policy, deletion is not defensible; it’s just destruction.

Proof that the retention period had expired. This might be a report showing creation date, deletion date, and days retained. Simple, but required.

Documentation that no legal hold was active. If a hold exists, you delete differently—usually you preserve the data but flag it as held. If a hold lapses, then deletion resumes. You need to prove that you checked the legal hold registry before deletion.

A record that deletion actually happened. Many organizations have policies that say “delete,” but when audited, the data is still in backups, archives, or shadow systems. Defensible deletion means you can produce a deletion report: system, date range, number of records, method used (physical destruction, cryptographic erasure, overwrite, etc.), and who authorized it.

I learned this the hard way at a previous employer. We had a retention policy, but when a regulatory investigation arose, we discovered that customer data marked for deletion was still in offline backups—some of which hadn’t been indexed or tracked. We couldn’t prove deletion was attempted, and regulators questioned whether we ever intended to delete. The investigation took months longer than it should have. Afterward, we rewrote the deletion procedure to require cross-system confirmation before data was marked as deleted from the primary system.

Legal hold vs. retention period. These are separate concepts and often conflict. A legal hold can extend retention indefinitely; a retention policy defines normal operation. Your policy should clarify what happens when a hold overlaps with deletion. Typically: a hold pauses deletion indefinitely, and deletion resumes only after the hold is released. Make this explicit.

Operationalizing Retention Across Systems

Having a policy on paper means nothing if you can’t enforce it across your system landscape. Operationalization is where most organizations fail.

Start with system inventory. You cannot implement retention if you don’t know where data lives. I’ve worked with organizations where retention was implemented in their primary database but not in:

Backup and archive systems
Cloud platforms (SaaS, IaaS)
Data warehouses and lakes
Shadow systems and departmental databases
Email and file servers
Logs and event systems
Third-party vendors who hold your data

Each system has different retention capabilities and constraints. Some allow date-based deletion; others don’t. Some have built-in retention policies; others require manual deletion. Operationalizing retention means assessing each system and deciding how to implement the policy there.

For databases and data warehouses, retention can be automated. You can create a process that identifies records older than the retention period and deletes them on a schedule. This is relatively straightforward for operational systems. For data lakes, it’s more complex because the same record might exist in multiple formats or partitions.

For backups and archives, retention is a matter of backup policy, not data policy. If your retention period is 7 years, you need to ensure that full backups are retained for 7 years and then deleted. Incremental backups are trickier—if a record is deleted from the primary system, it may still exist in an incremental backup if the backup predates the deletion. Some organizations address this by deleting from backups on the same schedule as the primary system (after a 30-day grace period). Others use cryptographic erasure: instead of overwriting backup data, they delete the encryption keys, rendering the data unrecoverable. Both are defensible; choose based on your storage and compliance constraints.

For email and file servers, retention is often policy-based, not automated. You can set Exchange or SharePoint retention policies that automatically delete items after a retention period. Office 365 and Google Workspace both support retention labels and policies. But not all systems do. Some organizations fall back to legal holds and manual deletion—which is expensive and error-prone.

For logs and event systems, retention is critical but often overlooked. Security logs, audit logs, and application logs may be governed by different retention periods than application data. Logs are high-volume and low-value for business purposes, but high-value for compliance. I implement a standard: security and audit logs retained 3 years, application logs 1 year. But this must be a conscious choice, not a default.

For third-party vendors, you need contractual controls. Does your SaaS provider support deletion? What’s their process? How long do they retain data after deletion? Can they confirm deletion? Many contracts have boilerplate that says “we delete data when you request it” but the actual mechanism is unclear. Tighten the contract to specify: deletion method, confirmation process, and timeline. If a vendor can’t meet your retention requirements, you have a compliance problem you must address.

Create a retention implementation matrix: system, data categories stored, retention period, deletion method, automation status, and owner. This becomes your operationalization roadmap. It forces you to acknowledge that retention is not a single-system problem and that each system requires a different implementation approach.

One crucial element: data lifecycle retention planning. Data ages through stages: hot (actively used), warm (occasionally accessed), cold (rarely accessed), and archived (never accessed). Retention can be staged: retain hot for 2 years, warm for 3 years, then delete. Or retain hot for 2 years, warm for 3 years, cold for 5 years, then delete. Staging reduces storage cost and operational friction. You’re not deleting actively-used data; you’re archiving it, then deleting it when it’s truly cold. This also makes the operational business case for retention clearer: “We’re not asking you to delete production data; we’re archiving it first.”

GDPR changed how the world thinks about retention. Under GDPR Article 5(1)(e), data must not be kept “in a form which permits identification of data subjects for longer than necessary” (the Storage Limitation Principle). This is not the same as US regulatory retention periods, which are often designed to prevent fraud and enable dispute resolution.

The GDPR principle is harder: how long is “necessary”? The answer depends on the legal basis and purpose. If you process data for contract performance, you can keep it as long as the contract is active, plus a period to handle disputes (e.g., 2–3 years). If you process for marketing, you can keep it only as long as the customer is engaged (typically 2 years from last interaction). If you process for legal obligation (tax, financial services), you keep it as long as the law requires. But you cannot keep data indefinitely “just in case.”

GDPR enforcement (particularly in Germany, France, and the UK) has made retention periods a priority. Regulators challenge organizations that keep customer data “in case they return” or “because it’s useful for analytics.” Under GDPR, utility doesn’t justify retention. Necessity does.

Data minimization extends beyond retention periods. It’s a principle that says you should collect and keep only the data you need for your stated purpose. In practice, this means:

Reducing collection. Don’t collect data you won’t use. If you don’t need phone numbers, don’t ask for them.

Reducing retention. Delete data as soon as its purpose is fulfilled. Don’t keep “just in case.”

Reducing scope. If you need customer name for billing, you don’t need billing address, phone, and email preferences unless they serve your purpose.

These sound obvious, but they conflict with how many organizations operate. Business wants to keep data for potential future uses. Analytics teams want to keep data for historical analysis. Marketing wants to keep contact data for reactivation campaigns. Data minimization says: be explicit about the purpose, and keep only what you need for that purpose.

For organizations with a GDPR-required Data Compliance & Regulations: The Complete Guide, data minimization must be baked into the retention policy from the start. Your retention schedule should map each data category to its legal basis and purpose, and the retention period should be the minimum necessary for that purpose. If you can’t justify why you’re keeping something, you can’t keep it under GDPR.

A practical approach: implement a “purpose expiry” in your retention schedule. Example: “Customer contact data retained for 2 years for account management; 1 year for marketing reactivation; then anonymized for 2 years for analytics, then deleted.” Each row in the schedule ties retention to a purpose and a period. When the purpose expires, the retention period should expire.

For international organizations, you may have different retention periods for different geographies. US operations might retain transaction data 7 years for tax reasons. EU operations might retain the same data 3 years for business necessity but anonymize after year 1 to comply with minimization. This creates complexity, but it’s often necessary. Your retention schedule should acknowledge geography-specific rules.

Common Retention Policy Failures

I’ve seen enough retention policies fail that I can catalog the patterns. If you recognize your organization in any of these, fix it now before audit finds it.

Failure #1: Policy exists, but implementation doesn’t. This is the most common failure. Compliance writes a policy defining how long to keep data. IT never gets the budget or priority to implement it. Business units ignore it because it doesn’t fit their workflow. Three years later, audit asks “where’s the evidence of deletion?” and you have no answer. The gap between policy and practice is a red flag. To avoid this: write the policy with IT at the table. Get agreement on implementation before you publish. Assign an owner. Fund it.

Failure #2: No legal hold procedure. You have a retention policy but no way to suspend deletion when litigation arises. When an investigation happens, you don’t know what data to preserve, or you continue deleting data while you should be preserving it. Regulators see this as intentional destruction, not incompetence. To avoid this: document a legal hold procedure and test it in a simulation before you need it.

Failure #3: Retention periods are too vague. “Keep for a while.” “Retain as long as possible.” “Delete when no longer useful.” These phrases are useless. You can’t operationalize vague retention periods, and you can’t defend them in audit. Every retention period should be a specific number of years or months, tied to a trigger date. To avoid this: use the data retention schedule matrix and force yourself to fill in every cell with a concrete number and trigger.

Failure #4: No retention period for logs. Organizations often overlook logs: security logs, audit logs, application logs. Logs aren’t “data” in the traditional sense, so they don’t make it into the retention schedule. But logs are discovered in litigation, audited in compliance investigations, and may contain sensitive information. Define retention for each log type. To avoid this: expand your data categories to include logs and assign retention periods.

Failure #5: Backup and archive data are not subject to retention. Backups are kept “as long as possible” for disaster recovery. Archives are kept indefinitely. But when litigation arises or GDPR requests come in, old backups and archives become evidence. If a record is deleted from the primary system but still exists in a 10-year-old backup, your deletion is not defensible. To avoid this: treat backups and archives as subject to the same retention policy as the primary system. Build deletion into your backup strategy.

Failure #6: Third-party data is not tracked. You have a retention policy for your systems but not for data held by vendors, cloud platforms, or partners. When audit asks “where is customer data held?”, you don’t know. When you need to delete customer data to comply with a GDPR request, you can’t because you don’t know if your vendor has it. To avoid this: inventory all third-party systems that hold your data and get contractual commitment to your retention policy.

Failure #7: Legal hold is informal. Litigation arises. Someone in General Counsel’s office sends an email: “Don’t delete stuff related to the lawsuit.” IT gets the email but doesn’t document receipt. Six months later, nobody remembers what was supposed to be held. Data continues to be deleted. When opposing counsel asks “what’s your evidence of preservation?”, you have nothing. To avoid this: formalize the legal hold process with written notices, sign-off from system owners, and a legal hold tracker.

Failure #8: Retention period overlaps with business need, and there’s no exception process. Business wants to retain data longer than the policy allows for operational reasons (customer disputes, fraud investigation, analytics). There’s no documented way to request an exception. So either business retains data outside policy (circumventing the policy), or business pressure overrides the policy (invalidating it). To avoid this: document an exception process. Allow retention beyond the standard period if justified and approved. Track exceptions separately so audit can see what’s intentional.

Bottom Line

A retention policy is not a compliance document you file and forget. It’s an operational framework that, when built and maintained correctly, protects the organization from regulatory exposure, defensibility challenges, and the liability of uncontrolled data proliferation.

The difference between a policy that works and a policy that fails comes down to this: has it been operationalized? Can you walk an auditor through how retention is implemented across every system? Can you produce a legal hold tracker? Can you show evidence of deletion? Can you explain why you retained data longer than the legal minimum? If the answer is no to any of these, your policy is not mature enough.

In my experience, the organizations with the strongest retention postures do three things consistently: they define retention periods with precision (not vague ranges), they implement retention across every system (not just the primary one), and they treat legal holds as a formal, tracked process (not an informal handshake). These are not shortcuts. They require investment and discipline. But the cost of doing it right is far lower than the cost of discovery and remediation when audit finds gaps.

Start with the data retention schedule—get it documented, get it reviewed by compliance and legal, get it signed off by IT. That single artifact becomes the north star for all operationalization work. Everything else flows from it.

Frequently Asked Questions About Data Retention Policy

What is the difference between a data retention policy and a records retention policy?

Records retention typically refers to how long you keep formal business records—contracts, invoices, meeting minutes, regulatory filings. Data retention is broader and includes operational data, customer information, logs, and any data asset your organization holds. A records retention policy might be part of your broader data retention policy. The distinction matters because records are often subject to legal or regulatory requirements, while operational data may have business-driven retention periods. Most organizations merge them into a single policy.

How long should we retain customer data?

Retention depends on your regulation and business model. In financial services, transaction records typically require 7 years for tax purposes. In healthcare, records are often 6 years from last treatment. In SaaS, you may retain customer data for 2–3 years after account closure to handle disputes and reactivation. GDPR limits you to keeping customer contact data only as long as necessary for your stated purpose. Start with regulatory requirements, layer in business justification, and document the resulting period.

What happens if we receive a legal hold but don’t know which systems have the data?

You have a serious compliance problem. A legal hold requires you to preserve relevant data, but if you don’t know where data lives, you can’t preserve it. The organization faces potential sanctions for failure to preserve. Before you need a legal hold, inventory all systems that hold data and document what each system contains. When a hold arises, you can quickly identify what to preserve.

Can we retain data indefinitely if we don’t know the retention period?

No. Indefinite retention is indefensible under most regulations. GDPR forbids it (storage limitation principle). US regulators expect organizations to know how long they keep data and to have a justification. If you can’t determine a retention period, that’s a data governance problem you must solve. The default cannot be “keep forever.”

How do we handle deletion if data exists in multiple systems?

Treat deletion as a multi-system process. Deleting from the primary system is the first step, but the record may exist in backups, archives, shadow systems, or third-party platforms. You must coordinate deletion across all systems where the data lives. Create a deletion workflow that includes: primary system deletion, backup deletion (after a grace period), archive deletion, and vendor notification. Document that all deletion was completed before marking the record as deleted.

What if a retention period in our policy conflicts with litigation?

Litigation takes precedence. When a legal hold is issued, deletion stops. Normal retention rules are suspended. Data must be preserved until the hold is released, even if the retention period would normally allow deletion. Your policy should explicitly state this. Once litigation concludes and the hold is released, normal retention resumes, and you can delete data as if the retention period had never been interrupted.

GDPR imposes a stricter principle: storage limitation. You can keep data only as long as necessary for your stated purpose. This is often shorter than US regulatory retention periods. If US tax law requires 7-year retention but GDPR allows 3 years, the shorter period applies to EU residents’ data. You may need different retention schedules for different geographies. GDPR also enables data subjects to request deletion (right to erasure), which may override your retention period if the data is no longer necessary.

Who should own the retention policy in an organization?

Ownership should be shared: compliance drives the policy, IT implements it, legal advises on hold procedures, and business defines their retention needs. If one group owns it entirely, the policy becomes either unimplementable (if IT-driven) or non-compliant (if business-driven). The best approach is a cross-functional steering committee that reviews and updates the policy annually. Day-to-day ownership often sits with the data governance or compliance team.

Should retention periods be the same for all customers or data subjects?

Generally yes, unless regulation requires otherwise. Your retention schedule should define retention by data category and regulation, not by individual. Some exceptions: litigation holds (customer-specific), GDPR deletion requests (person-specific), and VIP customers (business-specific). But the baseline should be consistent. If you have different retention for different customers, you create operational complexity and fairness issues.

How do we prove to auditors that deletion actually happened?

Document the deletion process and produce evidence. Evidence includes: the retention schedule showing the record was eligible for deletion, a log showing the record was created or last modified before the retention period expired, a legal hold release showing no hold was active, and a deletion report showing the record was removed from the primary system and backups. If you can’t produce this trail, deletion is not defensible.