This framework helps organizations design a data retention and destruction policy that satisfies regulatory requirements across jurisdictions while minimizing storage costs and liability exposure. The core principle is to retain data for the minimum period required by the strictest applicable regulation, then destroy it using a NIST 800-88 compliant method. GDPR enforces a 30-day default for erasure requests, CCPA/CPRA allows 45 days, and US tax law requires 7 years for financial records. [src2, src3]
| Input | Why It Matters | How to Assess |
|---|---|---|
| Jurisdictions with customers/operations | Determines applicable data protection laws | List countries/states where data is collected or stored |
| Data categories held | Each category has different retention requirements | Inventory: customer PII, HR, financial, health, logs |
| Industry-specific regulations | HIPAA (6yr), SOX (7yr), GLBA (5yr) override general rules | Identify applicable industry regulations |
| Current data volume and growth | Affects destruction method cost and complexity | Measure storage usage and growth rate |
| Litigation frequency | Determines hold process complexity | Annual number of active legal matters |
START — Design data retention and destruction policy
├── Step 1: Map data categories to jurisdictions
│ ├── US only → Federal (IRS 7yr, FLSA 3yr) + state-specific
│ ├── EU/EEA → GDPR (purpose-based + 30-day erasure)
│ ├── US + EU → Apply strictest per category
│ └── Regulated: HIPAA (6yr), SOX (7yr), GLBA (5yr)
│
├── Step 2: Set retention periods by data type
│ ├── Financial/tax → 7 years (US) or 5-10 years (EU)
│ ├── Employee HR → 3-7 years post-termination
│ ├── Customer PII → Relationship duration + 1-3 years
│ ├── Health/medical → 6+ years (HIPAA) + state-specific
│ └── System logs → 1-2 years (security) or 5 years (SOX)
│
├── Step 3: Select destruction method (NIST 800-88)
│ ├── Low sensitivity → Clear ($4-10/drive)
│ ├── Medium → Purge ($10-25/drive)
│ ├── High/regulated → Destroy ($15-40/drive + cert)
│ └── Always: Document with destruction certificate
│
├── OVERRIDE: Litigation hold → Preserve all relevant data
└── DEFAULT: 7-year retention + NIST Purge| Factor | Minimal (Purpose-Based) | Standard (7-Year) | Maximum (Keep All) |
|---|---|---|---|
| Storage cost | Lowest | Moderate | Highest (ever-growing) |
| GDPR compliance risk | Low | Medium | High (storage limitation) |
| Litigation defense | Medium | High | High (but costly discovery) |
| Reversibility | Irreversible (deleted) | Moderate | Easy |
| Capability needed | Classification + auto-deletion | Schedule + periodic review | Storage management only |
| Best when | GDPR-primary, privacy-focused | Multi-regulation, moderate litigation | Highly litigious industry |
| Worst when | Frequent litigation | GDPR-primary with no US ops | Privacy-focused, cost-sensitive |
| Hidden costs | Re-creation if needed | 7-year accumulation | Discovery/review costs, GDPR fines |
→ Purpose-based minimal retention. Retain each category only as long as purpose requires plus 1-3 year buffer. Aligns with GDPR storage limitation. [src3]
→ 7-year default with category overrides. Covers IRS, most statutes of limitations, and SOX. Override for HR (1-7 years) and health (6+ years). [src4]
→ Jurisdiction-mapped retention matrix. Map each data category to each jurisdiction, apply strictest rule per category. Implement automated enforcement. [src2]
→ 6-year minimum plus state-specific requirements. NIST Destroy for physical media. [src4]
→ 7-year general retention with NIST Purge. Covers most US federal requirements. Review and adjust once full data mapping is complete. [src7]
Violates GDPR storage limitation (fines up to 4% global revenue), increases storage costs 15-25% annually, and inflates litigation discovery costs 3-5x. [src3]
Map data categories, set periods per strictest regulation, implement automated deletion. An 80% accurate schedule beats no schedule.
No proof of compliant disposal when regulators ask. Looks like evidence destruction. [src7]
Record date, method, categories destroyed, responsible party. Use NAID AAA-certified vendors. Retain records 3+ years beyond destruction.
Blanket "7 years for everything" violates GDPR (over-retention), wastes storage, and misses categories needing longer retention. [src2]
Build a matrix: rows = data categories, columns = jurisdictions. Each cell = specific retention period. Automate enforcement.
| Component | Small (< 1 TB) | Mid-Size (1-10 TB) | Enterprise (10-100 TB) |
|---|---|---|---|
| Policy development | $2K-8K | $8K-25K | $25K-75K |
| Data classification | $1K-5K | $5K-20K | $20K-100K |
| Retention software | $0-500/mo | $500-3K/mo | $3K-15K/mo |
| Physical destruction | $100-500/event | $500-2,500/event | $2,500-15K/event |
| Digital wiping | $4-10/drive | $10-25/drive | $15-40/drive |
| Annual compliance review | $2K-5K/yr | $5K-15K/yr | $15K-50K/yr |
Hidden cost multipliers: Litigation hold management: $5K-25K per matter. GDPR DSARs: $50-500 each. Non-compliance fines: GDPR up to 4% global revenue; CCPA $2,500-7,500 per violation. On-site destruction adds 50-100% premium. [src5, src6]
Fetch when a user asks about data retention schedules, record-keeping requirements, GDPR or CCPA deletion obligations, data destruction methods and costs, or how to build a compliant data lifecycle policy. Also relevant for audit preparation, deletion request handling, or jurisdictional expansion.