DAT-008 Data Retention and Deletion
Description
Documented retention schedules exist for all data categories, aligned with legal obligations, contractual commitments and business requirements. Data is securely deleted or anonymised when retention periods expire. Deletion is verifiable and applied consistently across primary storage, backups and replicas.
Rationale
Retaining data beyond its useful or legal life increases breach exposure and regulatory liability. Verified deletion is particularly critical for SaaS tenants at offboarding.
Framework Mappings (7)
| DSP-02 | Secure Disposal | partial |
| DSP-16 | Data Retention and Deletion | full |
| GDPR-Art.17 | Right to Erasure (Right to be Forgotten) | partial |
| GDPR-Art.5.1e | Storage Limitation | full |
| 8.10 | Information deletion | full |
| SI-12 | Information Management and Retention | full |
| P4.2 | Retention of Personal Information | full |
Evidence (2)
Data retention policy and schedule defining retention periods per data category, legal basis for each retention period, and deletion or anonymisation requirements at expiry.
Example: Data Retention Schedule (Confluence / spreadsheet), approved by DPO and Legal, listing each data category with: retention period, legal justification, storage location, deletion method (automated purge / manual review), and date last reviewed
Test: Request the data retention schedule. Verify: (1) all personal data categories in the RoPA have a retention period assigned, (2) each period has a legal or business justification, (3) deletion method is specified (automated or manual) for each category, (4) schedule was approved and reviewed within 24 months.
Automated or manual deletion records confirming that data is purged or anonymised when retention periods expire, including across backups and replicas.
Example: Automated deletion job execution logs (AWS Lambda / Airflow / database scheduler) for the last 3 months — showing records deleted, data categories affected, execution timestamps, and confirmation of deletion from primary, backup and replica stores
Test: Request deletion execution logs for the most recent quarter. Verify: (1) deletion jobs ran at the scheduled frequency, (2) deletion covers primary database, backup snapshots and replicas, (3) volume of deleted records is consistent with expected data volumes, (4) no failed deletion jobs are outstanding without documented exception handling.
Questions (2)
Does your organisation maintain documented retention schedules for all data categories, and is data securely deleted or anonymised when retention periods expire?
Retention schedules should be assigned to all personal data categories in the RoPA, with a legal or business justification for each period. Deletion should cover primary storage, backups and replicas.
How is data deletion or anonymisation executed when a retention period expires?
Fully automated deletion across all storage tiers (primary, backup, replica) is the strongest control. Any manual or ad hoc approach must be supported by execution records to demonstrate completeness.