Data Retention Policy: Governance & Compliance

Many organizations conflate backup retention with data retention. They are related but distinct. Backup retention focuses on disaster recovery, how long you can restore from a specific point in time, typically 30 days to 1 year. Data retention focuses on governance, how long you must keep accessible, searchable records for compliance, legal, and operational purposes, typically 3-7+ years.

A 90-day backup retention policy protects against ransomware and accidental deletion. It does not satisfy FINRA's 3-year email requirement, HIPAA's 6-year documentation rule, or a legal firm's 7-year client file obligation. Backups are optimized for recovery speed, not for browsing, searching, or producing records for legal discovery.

A complete retention strategy uses multiple mechanisms working together:

• Live data management: Classification, lifecycle policies, and deletion schedules for active systems.
• Email archiving: Separate retention and search for mail systems, often with 7+ year retention (see SEAS guide).
• SaaS governance: Understanding and compensating for vendor retention limitations.
• Backups: Disaster recovery and short-term protection (days to months).
• Long-term archives: Immutable storage for compliance-mandated retention (years).

Retention periods vary dramatically by industry. A 90-day backup policy works for general disaster recovery but fails for most regulated environments.

Financial Services (FINRA/SEC)

Broker-dealers and investment advisors face strict books-and-records rules under FINRA Rule 4511 and SEC Rule 17a-4. Email and communications require minimum 3-year retention with at least 2 years in an easily accessible place. Trade records and supervision records carry 3-6 year requirements. Standard Microsoft 365 retention (30 days for deleted items) is insufficient; financial firms typically need dedicated email archiving with WORM (Write Once Read Many) storage.

Healthcare (HIPAA)

HIPAA requires 6 years of documentation retention from creation or last effective date, including risk analyses, policies, training records, incident documentation, and business associate agreements. State laws may extend requirements further, with some states requiring 7-10 years for medical records. Pediatric records often carry extended retention. Healthcare organizations need retention that extends well beyond typical backup windows.

Legal Industry

Law firms face dual obligations: client file retention (typically 7 years after matter closure, varies by state) and malpractice protection (often 5-7 years matching the statute of limitations). Some jurisdictions require longer retention for estates, trusts, and minors. Legal firms need organized, searchable archives because clients may request files years later, and reconstructing from backup tapes is impractical.

Government & Law Enforcement (CJIS)

Organizations accessing FBI CJIS data must follow CJIS Security Policy retention requirements for audit logs (typically 1+ years), security documentation (duration of system operation plus several years), and access records. Government entities need retention aligned with specific agency requirements, which may exceed CJIS baseline. Cloud migration requires careful assessment of vendor retention capabilities.

Education (FERPA)

FERPA does not specify exact retention periods but requires institutions to maintain records demonstrating compliance. Student records are often retained for several years after graduation. Financial aid documentation and special education records may have separate federal retention requirements with extended timelines.

PCI DSS (Payment Card Industry)

PCI DSS v4 requires audit trail history retention of at least 1 year, with 3 months immediately available. Security policies, vulnerability scan reports, and evidence of compliance must be retained. PCI DSS emphasizes log retention, but merchants must also consider cardholder data retention. Retaining cardholder data longer than necessary increases both compliance scope and breach risk.

SOC 2 & Trust Services Criteria

SOC 2 does not prescribe specific retention periods but requires sufficient evidence retention to support the auditor's opinion, typically through the audit period plus some buffer. Organizations should define retention periods based on their own risk assessment and document the rationale. Inconsistent retention that changes year-to-year may raise auditor concerns.

SaaS adoption has outpaced retention planning. Many organizations discover too late that their cloud tools have retention policies that conflict with their compliance needs. A law firm might move to a cloud practice management tool with 30-day deleted-matter retention while the state bar requires 7-year client file retention. The firm assumes "cloud equals backed up" but actually has a massive retention gap.

Default SaaS retention periods are designed for operational recovery, not compliance. Microsoft 365 retains deleted items for 30 days by default (configurable with higher licensing). Google Workspace keeps trash for 30 days, with extended retention available through Vault. Slack and Teams message retention varies by plan tier. CRM systems differ widely, some retaining deleted records indefinitely and others purging after 30-90 days.

When SaaS retention does not meet compliance needs, organizations compensate through several approaches:

• Email archiving with journaling: Captures all inbound and outbound email in real time before users can delete it, creating an independent, tamper-proof archive with 7+ year retention and eDiscovery capabilities. See Secure Email Archiving Service (SEAS).
• Third-party SaaS backups: Products exist to back up Microsoft 365, Google Workspace, Salesforce, and other SaaS platforms with extended retention.
• Regular exports: For critical data, schedule automated exports to organization-controlled storage with appropriate retention.
• Vendor negotiations: Enterprise agreements sometimes include custom retention terms or data escrow arrangements.

Related: SaaS sprawl governance and evaluating hosted app providers.

Email is simultaneously the most regulated and most problematic data type. It contains business records, client communications, contracts, and evidence. It is also ephemeral and easy to delete. Email is the most frequently requested data type in litigation and many industries have specific email retention mandates.

A robust email retention strategy operates in layers: live mail system with operational retention (30-90 days), an email archive with long-term retention (3-7+ years) and eDiscovery capabilities, and backups for disaster recovery. Relying on backups alone for email retention is risky because backups are point-in-time, not continuously updated. Restoring a 2-year-old email from backup may require restoring an entire mail database, which is impractical and disruptive.

For a detailed approach to independent email archiving, see Secure Email Archiving Service (SEAS).

Normal retention schedules assume stable operations. Litigation changes everything. A legal hold suspends deletion of potentially relevant data when litigation is anticipated or pending, when a government agency investigation is likely or underway, or when audit disputes arise.

Failing to implement a legal hold can result in severe consequences. Courts may impose monetary sanctions or adverse inference (the jury may be instructed to assume the destroyed evidence was unfavorable). In extreme cases, courts may dismiss claims or enter default judgment. Willful destruction of evidence may lead to criminal liability.

An effective legal hold process has six stages: identify the litigation risk or notice, determine scope (which custodians, systems, and time periods), suspend normal deletion across affected systems, notify affected employees with clear instructions, monitor compliance through regular audits, and document the release when litigation concludes.

GDPR creates a unique tension for retention. While industry regulations often mandate minimum retention periods (HIPAA: 6 years, FINRA: 3 years), GDPR imposes maximums through the storage limitation principle. If that documentation or email contains personal data, you have a potential conflict.

The resolution is to document the legal basis for retention. For each data type containing personal data, document the purpose, the legal basis (legal obligation, contract, legitimate interest), the specific retention period with justification, the review trigger that starts the deletion countdown, and the technical implementation for deletion or anonymization.

When industry requirements mandate longer retention than GDPR would otherwise allow, the legal obligation basis typically prevails. But you must document this rationale in your retention policy and privacy notices.

A practical retention program follows six stages. First, inventory and classify all data types across on-premises, cloud, and SaaS, identifying which contain personal or sensitive data. Second, map requirements by identifying applicable regulations, documenting minimum and maximum retention periods, and engaging legal counsel to confirm. Third, develop the policy with specific retention periods per data type, legal hold procedures, and documented legal basis for each period.

Fourth, implement technically: configure mail system retention, implement email archiving for compliance, configure backup retention for disaster recovery, address SaaS retention gaps, and implement legal hold controls. Fifth, publish the policy and train employees, IT staff, and legal/executives on their respective obligations. Sixth, monitor and maintain: audit retention compliance quarterly, review the policy annually or when regulations change, test the legal hold process, and update when new systems or data types are introduced.

For related guidance on the backup and recovery side, see backup retention concepts and backup and disaster recovery testing.

• Backups do not equal a retention policy. Backups handle disaster recovery (days to months). Retention governs compliance and legal requirements (often years).
• Industry requirements vary dramatically. Know which regulations apply to your data types and plan accordingly.
• SaaS sprawl creates retention gaps. Default cloud retention is designed for operational recovery, not compliance. Audit your SaaS tools.
• Email requires dedicated archiving. Do not rely on backups for long-term email retention. Recovery is impractical and search is impossible.
• Legal holds override normal retention. Have a process to suspend deletion when litigation is anticipated. Spoliation sanctions are severe.
• GDPR adds maximum retention limits. Document your legal basis for retention periods that extend beyond what GDPR would otherwise permit.