[Organisation] · Data Retention & Disposal Policy
Version 1.0 · Owner: [Role] · Approved: [Date] · Classification: Internal
Purpose
To ensure information is retained only as long as necessary and disposed of securely.
Scope
Applies to all [Organisation] information in any format, including backups.
Policy statements
- Each data category has a defined retention period based on business need and legal obligation.
- Personal data is not retained beyond its stated purpose.
- Disposal uses secure methods appropriate to the media (e.g. cryptographic erasure, shredding).
- Evidence of disposal is recorded where required.
Sample retention schedule
- Financial records: as required by applicable law.
- Employee records: duration of employment plus statutory period.
- Marketing consents: until withdrawn or purpose ends.
- Security logs: [X months], balancing investigation needs and minimisation.
Review
Reviewed annually and updated as obligations change.
Template provided by CyberSigma for adaptation. Replace bracketed placeholders and tailor to your environment before adopting. This is guidance, not legal advice.
