GDPR requires you to keep data only as long as necessary. "As long as necessary" without documentation is how you get fined. Generate a policy that defines retention periods clearly. Free.
Not because it's fun. Because "we keep everything forever" is a compliance disaster waiting to happen.
GDPR doesn't just say collect less data. It says keep it only as long as you actually need it. A documented retention policy is the evidence that you're following this principle. Without documentation, "as long as necessary" means nothing.
Data you don't have can't be breached. A retention policy forces you to delete data you're holding just in case, which reduces both your compliance burden and your breach risk. Old data sitting in a forgotten database is a liability.
ISO 27001, SOC 2, and most enterprise security questionnaires ask about your data retention practices. Having nothing documented is an automatic red flag. A clear policy with defined schedules closes that gap immediately.
The principle sounds simple. The implementation is where most organizations fail.
Most privacy compliance conversations focus on collection. Who can you collect data from? What consent do you need? What do you have to disclose? But GDPR's storage limitation principle — Article 5(1)(e) — says that personal data must be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it was collected. In plain language: once you're done with data, you need to delete it.
The problem is that "no longer than necessary" is frustratingly vague. So organizations do what people do with vague rules — they interpret it loosely. And "loosely" usually means keeping everything forever because deleting things feels risky. What if you need it later? What if there's a legal dispute? What if a customer comes back?
The UK's ICO fined Equifax £500,000 (the maximum under pre-GDPR rules) partly because Equifax was retaining data beyond its stated purpose. The Irish DPC found that companies regularly held data long after the business relationship ended with no documented justification. French regulator CNIL has specifically cited inadequate retention policies as a factor in enforcement actions. The message is consistent: "we just kept it" is not an answer.
So what does "necessary" actually mean in practice? It depends on the category of data and your legal basis for processing. Here's how some common categories typically work in practice. Customer account data should generally be kept for the duration of the customer relationship plus two to three years after the last interaction. This covers legitimate interests like customer service and potential warranty claims. Financial records are subject to statutory requirements — in the UK that's six years, in Germany it's ten years, in the US the IRS recommends seven years for tax records.
Marketing data is where most companies get into trouble. If someone opted into your email list in 2019 and hasn't opened an email in three years, you almost certainly can't claim a legitimate basis for still holding their data. The ICO's guidance is fairly clear that you should be scrubbing inactive contacts from marketing lists. Two years of inactivity is a common benchmark. Some companies use re-engagement campaigns at the one-year mark to confirm continued consent before the two-year deletion window kicks in.
Employee data is its own category with its own complexity. During employment, you need it. After employment ends, you need some of it for a bit longer. UK employment law guidance suggests six years for most employment records. But health records, disciplinary records, and records related to pension schemes each have their own timelines. And under GDPR, even with a legal basis for retention, you have to disclose those periods to employees in your privacy notice and HR data retention schedule.
CCPA and its successor CPRA have added a right to deletion that intersects with retention. California residents can request that you delete their personal information. You need to respond within 45 days. And if you've been keeping data for three years with no documented business purpose, you're going to have a hard time explaining why you can't delete it. A proper retention policy with defined schedules makes these requests much easier to handle. You can either delete the data on request or point to a specific legal reason why the retention period hasn't expired yet.
There's also the practical matter of legal holds. When litigation is reasonably anticipated, you have a duty to preserve relevant information — even data you'd otherwise delete. Your retention policy needs a legal hold exception clause that overrides normal deletion schedules when legal proceedings are pending or likely. This isn't just GDPR. This is basic e-discovery law. And your policy needs to address how legal holds are triggered, who has the authority to trigger them, and how they're lifted when the litigation is resolved.
Finally, a retention policy without a deletion process is not a retention policy. It's a wish list. You need to document how data actually gets deleted — whether that's automated purges from your database, secure wiping of backup tapes, anonymization of records you need to keep for statistical purposes, or written instructions to third-party processors. Our generator produces a policy that includes deletion procedures, not just schedules.
A complete retention framework from purpose statement to deletion procedures.
Clear statement of why this policy exists, which legal frameworks it addresses (GDPR, CCPA, etc.), and which categories of data and personnel it covers.
Documents the lawful basis for retaining each data category: contract performance, legal obligation, legitimate interests, or consent. Required for GDPR accountability.
Specific periods for each data type. Customer data: 3 years post-relationship. Financial: 7 years. Marketing lists: 2 years. Employee records: 6 years post-employment. Analytics: 26 months.
Schedule for reviewing retained data, identifying data past its retention period, and documenting that the review occurred. Annual minimum is the standard.
Specific methods for each system: secure database deletion, backup purge schedules, anonymization for analytics data, shredding physical records.
Who is responsible for implementing the policy, reporting retention violations, requesting legal holds, and confirming deletion has occurred.
Requirements for processors and vendors to comply with your retention schedules and confirm deletion of data when the retention period expires or the contract ends.
Process for suspending normal deletion schedules when litigation is pending or anticipated, who has authority to trigger a legal hold, and how it gets lifted.
How deletion requests from individuals (GDPR right to erasure, CCPA right to delete) interact with your retention schedules and the grounds for refusing deletion requests.
Commitment to reviewing and updating the policy at least annually, or sooner when business practices, legal requirements, or data categories change.
Everything you need to know about data retention policies
What your options are and what they actually cost you.
| Feature | FreeTOS | Paid Service | Law Firm |
|---|---|---|---|
| Price | Free | $15/mo+ | $400+ |
| Signup Required | No | Yes | Yes |
| Retention Schedule by Category | Yes | Basic | Yes |
| GDPR + CCPA Coverage | Both | Both | Both |
| Legal Hold Clause | Yes | Paid tier | Yes |
| Deletion Procedures | Yes | Basic | Yes |
| AI-Tailored Output | Yes | Template | Manual |
A policy sitting in a Google Doc that nobody reads isn't a policy. Here's how to actually use it.