Question: Are data-retention and deletion schedules defined, approved, and implemented across systems?
Why This Matters
Uncontrolled retention increases legal and security risk. Timely deletion supports compliance and reduces storage cost.
Maturity
0 — Unaware
No defined retention periods.
No defined retention periods.
1 — Ad Hoc
Manual purges after storage issues.
Manual purges after storage issues.
2 — Defined
Retention matrix documented and approved.
Retention matrix documented and approved.
3 — Managed
Schedules implemented via automation or cron jobs.
Schedules implemented via automation or cron jobs.
4 — Integrated
Linked to register and legal holds.
Linked to register and legal holds.
5 — Optimized
Policy-driven dynamic retention with analytics on deletion compliance.
Policy-driven dynamic retention with analytics on deletion compliance.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Identify data types and current storage duration. |
| 1 → 2 | Develop retention matrix with business and legal input. |
| 2 → 3 | Implement automated deletion or archival jobs. |
| 3 → 4 | Integrate with register and backup policy. |
| 4 → 5 | Monitor deletion success and generate analytics. |
Enablers
- People: DPO, Legal Counsel, IT Ops
- Process: Retention policy → approval → automation
- Technology: Storage lifecycle management, backup tools
Evidence
- Approved retention schedule
- Automation scripts / logs
- Deletion audit report
KPIs
- Percentage of systems with applied retention rules
- Number of records deleted per cycle
- Deletion success rate %
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Scheduling | Cron / Airflow | Automate purge jobs |
| Tracking | Airtable / Excel | Retention matrix |
| Storage lifecycle | MinIO ILM | Auto-expire objects |
Common Pitfalls
- No alignment with backup retention
- Deletion scripts disabled by admins
- Lack of evidence for audit
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27701 | 7.5 (Retention and Erasure) |
| DPDP Act 2023 | Sec 9 (Storage Limitation) |
| GDPR | Art. 5(1)(e) |
| NIST CSF 2.0 | PR.DS-06 |
| NIRMATA Mapping | PD-Q07 anchors retention discipline. |