Retention Period

A Retention Period is the defined duration for which an organization stores personal data before it must be securely deleted, destroyed, or anonymized. It is the operational manifestation of the "Storage Limitation" principle under GDPR Article 5(1)(e), which prohibits organizations from keeping personal data longer than necessary for the purposes for which it was collected.

Retention is governed by the "necessity" test: data must be deleted once the original purpose for processing is fulfilled, unless a separate legal obligation requires further storage. Often, privacy laws demanding deletion conflict with tax or employment laws requiring retention. In such cases, specific legal mandates (e.g., "Keep tax records for 7 years") override general privacy requirements.

GDPR Article 5(1)(e) establishes the Storage Limitation principle, requiring data be kept in identifiable form "no longer than is necessary." The CPRA has elevated retention to a mandatory transparency requirement—businesses must disclose intended retention periods for each category of personal information at the point of collection. If specific timeframes cannot be set, businesses must disclose the criteria used to determine retention. Failing to define or communicate these periods is now a standalone violation under California law.

Common retention benchmarks vary by data type. Financial and tax records typically require 7 years (US/UK standard). Employee records are generally kept 3-6 years after termination depending on local statutes of limitations. Marketing cookies typically have 6-12 month lifespans. CCTV footage is commonly retained for 30 days. Unsuccessful job applicant records are kept 6 months to 2 years to defend against discrimination claims.

"Data Graveyards"—vast repositories of legacy data that are no longer actively used but have not been deleted—represent significant liability. Every year of un-deleted data adds to exposure volume. "Zombie Data" that exists in backups, logs, or secondary silos often escapes standard deletion protocols, creating hidden liability that resurfaces during ransomware attacks or DSARs. Research estimates that 60% of enterprise data is "ROT" (Redundant, Obsolete, or Trivial)—providing zero business utility while maintaining 100% breach risk.

For liability quantification, retention period is the primary lever for controlling volume risk. Data kept beyond its useful life represents pure liability with zero business utility, significantly inflating risk scores. A robust compliance program uses a Data Retention Schedule mapping data categories to specific timeframes, with retention triggered by events (e.g., "3 years after account closure") rather than fixed dates from collection.