What Is Data retention? Security Definition
On This Page
Quick Definition
Data retention means deciding how long to keep information and when to delete it. Companies set rules for storing data based on laws, business needs, or security requirements. Once the time is up, the data is safely removed.
Commonly Confused With
Data retention is the overall policy that includes both keeping and deleting data over time. Data archiving is a subset of retention that involves moving older data to cheaper, long-term storage for compliance or historical reference, but the data is not necessarily deleted. Archiving can be indefinite, while retention always includes a maximum period.
A company archives old emails to a .pst file after 1 year (archiving) but deletes them after 7 years (retention).
Backup is the process of creating copies of data for disaster recovery. Backup retention determines how many backup copies are kept. Data retention governs the original live data. Two different concepts. A backup may be kept for 30 days, while the original data is retained for 7 years.
You back up your phone weekly (backup) and keep backups for 3 months (backup retention). But you keep your photos on the phone for 2 years (data retention).
Preservation means keeping data indefinitely, often due to a legal hold or historical value. It overrides normal retention policies. Retention includes a defined end date; preservation does not. Both are part of the data lifecycle.
A court orders a company to preserve all emails related to a lawsuit. The company suspends its usual 90-day retention policy for those emails (preservation).
Must Know for Exams
Data retention is a core topic in both DP-900 (Microsoft Azure Data Fundamentals) and ISC2 CISSP (Certified Information Systems Security Professional). For DP-900, it appears in the section on managing data storage and data lifecycle. You will be expected to know how Azure Blob Storage lifecycle management works, how to set retention policies on containers, and the difference between time-based retention and legal hold. Questions may ask you to choose the appropriate storage tier (hot, cool, archive) based on retention duration and access frequency. For example, “A company needs to store financial records for 7 years with very rare access. Which tier should they use?” The answer is archive tier. DP-900 also tests the immutability feature for blobs, which prevents deletion until a retention period expires. You need to understand that immutability is used for compliance requirements such as SEC 17a-4.
For CISSP, data retention is part of Domain 2 (Asset Security) and Domain 8 (Software Development Security). CISSP emphasizes the policy and governance aspects, including the data lifecycle: create, store, use, share, archive, destroy. You must know that retention policies must be documented, approved by legal, and enforced by technology. CISSP also covers the difference between retention (keeping for a defined period) and preservation (keeping indefinitely due to legal hold). In exam questions, you might see a scenario where an organization is being sued, and a legal hold is issued. The correct action is to suspend automatic deletion policies for relevant data. Another common question involves the principle of storage limitation under privacy regulations. CISSP expects you to identify that data should only be kept as long as necessary and that excessive retention violates privacy principles.
Both exams test your understanding of compliance implications. For DP-900, you need to know specific Azure services and settings. For CISSP, you need to know the general concepts and best practices. In multiple-choice questions, distractors often confuse retention with backup, or retention with archiving. Knowing the precise differences will help you avoid traps. For example, a backup is for disaster recovery and has its own retention schedule, while an archive is for long-term compliance. A retention policy governs both, but the purpose differs. Exam questions may also ask who is responsible for setting retention policies, the answer is typically data owners and legal/compliance teams, not IT alone.
Simple Meaning
Think of data retention like keeping old tax documents at home. You do not throw away your tax records the day after filing because the government might ask about them years later. So you store those papers in a filing cabinet for a set number of years, like seven. After seven years, you shred them to prevent identity theft. Data retention works exactly the same way for digital information. Organizations decide how long to keep different types of data, such as customer records, employee files, or system logs. They follow legal rules, like those from governments or industry standards, which say things like “keep financial records for five years” or “keep health records for ten years.” Once that period ends, the data must be deleted forever so no one can misuse it. If you keep data too long, you risk legal trouble or data breaches. If you delete it too early, you might lose evidence needed for an audit or lawsuit. So data retention policies strike a balance between keeping data available when needed and removing it when it becomes a liability. This concept is a core part of governance and risk management because it helps organizations control their information, save storage costs, and stay compliant with laws like GDPR or HIPAA.
In everyday life, you probably already practice data retention. You keep important emails in your inbox until you no longer need them. You delete old photos from your phone to free up space. But for a company, it is not a personal choice. It is a formal policy written down and enforced with technology. Every piece of data gets a “retention period” and a “disposal method.” Some data might be archived to cheaper storage after a few months, then deleted after years. The key idea is that you do not delete everything immediately, and you do not keep everything forever. You follow a plan that matches the value and risk of the data.
Full Technical Definition
Data retention refers to the policies, procedures, and technical controls that determine how long data is stored, where it is stored, and how it is ultimately destroyed. It is a critical component of data lifecycle management (DLM) and information governance. In IT systems, data retention is implemented through automated rules that classify data based on type, sensitivity, or regulatory requirements. For example, a retention policy might specify that transactional database records are kept for seven years, then securely purged. These rules are often enforced by backup retention schedules, archive tiering, and deletion scripts. Standards such as ISO 27001, NIST SP 800-53, and regulations like GDPR, HIPAA, PCI DSS, and SOX mandate specific retention periods for different data categories. GDPR, for instance, requires that personal data not be kept longer than necessary for the purpose it was collected (storage limitation principle). HIPAA requires medical records to be retained for at least six years. PCI DSS requires cardholder data to be retained only as long as needed for business or legal purposes.
From a technical standpoint, data retention involves several mechanisms. Storage systems use features like object lock or immutable snapshots to prevent deletion before the retention period ends. Cloud providers offer lifecycle policies that automatically move data from hot storage to cold storage (e.g., S3 lifecycle transitions) and then delete it after a set number of days. Backup software maintains retention schedules that dictate how many daily, weekly, monthly, or yearly backups are kept. For databases, archiving and purging jobs remove old records based on timestamps. On endpoints, group policies enforce file retention and deletion rules. Encryption keys must also be retained or destroyed according to policy. The destruction phase is equally important: data must be rendered unrecoverable, typically through degaussing, cryptographic erasure, or secure overwriting (DoD 5220.22-M standard). Simply deleting files or formatting drives is not sufficient for compliance. Audit trails log retention actions to prove compliance.
In exam contexts for DP-900 (Azure Data Fundamentals), data retention covers how Azure storage services manage lifecycle management and blob retention policies. DP-900 expects you to know the difference between hot, cool, and archive access tiers and understand how retention policies govern blob immutability and time-based retention. For ISC2 CISSP, data retention falls under Domain 2: Asset Security, specifically the data lifecycle. You need to understand that retention policies must align with legal and regulatory requirements, and that destruction is the final phase. CISSP also emphasizes the difference between retention (keeping for a period) and preservation (keeping indefinitely for legal hold). Both exams test the concept that data retention policies should be defined before data is collected, not after.
Real-Life Example
Imagine you run a small cafe. Every day you write down customer orders on a notepad. At first, you keep every notepad because you might need to check inventory or resolve a complaint. But after a month, the pile of notepads becomes heavy. You decide to keep notepads for 90 days in case a customer says they were overcharged. After 90 days, you shred the notepads because storing them forever would waste space and risk someone finding a customer’s credit card number written on a slip. This is data retention. The notepads are your data. The 90-day rule is your retention policy. The shredding is your secure disposal.
Now imagine you have a computer system that stores all customer orders digitally. Instead of notepads, you have a database. The retention policy says: keep orders for three years because tax law requires it. The system automatically archives orders older than one year to cheaper storage, then deletes them after three years. This is exactly what companies do. Without a retention policy, you might delete orders too early and get fined by the tax authority. Or you might keep orders forever, and a hacker steals the data, causing a massive privacy breach. The analogy shows that retention is not about hoarding data, it is about managing risk and compliance. Just like you do not keep every coffee receipt from ten years ago, a company does not keep every log file forever. Both follow a common-sense rule: keep what you need for as long as you need it, then get rid of it safely.
Why This Term Matters
Data retention matters because data is an asset that also carries liability. Holding data beyond its useful life exposes an organization to security breaches, legal penalties, and unnecessary storage costs. For example, if a company keeps customer credit card numbers longer than required by PCI DSS, it faces fines and increased risk of theft. Conversely, deleting data early can lead to loss of evidence in lawsuits or failure to meet regulatory audit requirements. A proper data retention policy balances these risks. It ensures that data is available when needed for business operations, legal compliance, or historical analysis, and is deleted when no longer needed. This is a fundamental responsibility of IT professionals, data stewards, and security teams.
In practice, data retention affects system design and cost. Storage cost is directly tied to retention duration. Longer retention requires more capacity and higher cost, especially for high-performance storage. Tiered storage (hot, cool, archive) helps manage cost, but requires understanding of access patterns. Retention also impacts backup strategy. A company might keep daily backups for 30 days, weekly for 12 months, and yearly for 7 years. Each decision affects recovery point objectives (RPO) and recovery time objectives (RTO). In an incident, knowing that data is retained for a specific period can mean the difference between recovering from ransomware and losing everything. For exam candidates, understanding why matters is crucial because both DP-900 and CISSP ask about the business and legal drivers behind retention, not just the technical configuration. You must know that retention is not just an IT decision, it is a governance decision.
How It Appears in Exam Questions
Data retention questions appear in scenario-based, configuration, and troubleshooting formats. In DP-900, you might get a question like: “A company stores customer transaction data in Azure Blob Storage. They need to keep it for 5 years for compliance, then delete it automatically. Which feature should they use?” The answer is lifecycle management with a delete action after 5 years. Another common pattern is: “A healthcare company must keep patient records for 7 years. They want to minimize storage costs while ensuring data is not deleted early. What should they do?” The correct solution is to enable time-based retention policy on the container (immutability) and move blobs to archive tier after 30 days. You might also see true/false statements like: “Archive storage has the lowest cost but the highest retrieval time.” That is true.
In CISSP, questions are more conceptual. For instance: “An organization is subject to GDPR. A user requests deletion of their personal data under the right to erasure. However, the organization has a legal obligation to retain the data for 3 years. What should the organization do?” The correct answer is to retain the data for the required period and then delete it, while informing the user about the legal obligation. Another question: “A company has a data retention policy that states logs must be kept for 90 days. During an investigation, the CSIRT needs logs from 120 days ago. What is the most likely outcome?” The answer is that the logs have been purged, because the retention policy was enforced. This highlights the conflict between security needs and retention policy.
Troubleshooting questions might involve scenarios where data is accidentally deleted before the retention period ends. The solution could be to restore from backup or use point-in-time recovery, depending on the service. Or a question may describe a situation where storage costs are too high, and the candidate must recommend moving infrequent data to cooler tiers and setting appropriate retention rules. Always read the scenario carefully to identify if the question is about compliance cost optimization, or data protection. The key is to match the requirement with the appropriate retention mechanism.
Practise Data retention Questions
Test your understanding with exam-style practice questions.
Example Scenario
GreenLeaf Pharmacy stores customer prescription records in a cloud database. The law requires them to keep these records for 10 years after the last prescription is filled. After 10 years, the records must be destroyed to protect patient privacy.
GreenLeaf implements a retention policy on their Azure Blob Storage. Each blob (prescription file) is tagged with a creation date. Lifecycle management rules automatically move blobs older than 1 year to cool storage, and blobs older than 5 years to archive storage.
After 10 years, the blobs are deleted permanently. They enable time-based retention for 10 years on the container to prevent any accidental or malicious deletion before the period ends. One day, a regulatory auditor asks to see records from 8 years ago.
GreenLeaf retrieves them from archive storage within a few hours. They pass the audit because the data is intact. But a year later, a customer requests that their old prescription data be deleted under privacy laws.
GreenLeaf checks the retention policy and explains that they must keep it for 10 years due to federal law. After 10 years, the data is automatically purged. The customer is informed of the legal requirement.
This scenario shows how data retention balances compliance, security, and cost. GreenLeaf did not have to manually manage deletions or worry about data being lost early. The policy automated everything.
Common Mistakes
Thinking data retention means keeping everything forever.
Keeping data indefinitely increases storage costs, legal risk, and attack surface. Most regulations require data to be deleted after a defined period.
Understand that retention includes both keeping and deleting. Always define a maximum retention period and a disposal method.
Confusing retention with backup.
Retention is about compliance and lifecycle management; backup is about recovery from data loss. Backup copies may have their own shorter retention schedule.
Remember: retention governs original data lifecycle; backup governs copies for disaster recovery. They are separate policies.
Assuming deletion from a GUI is enough for compliance.
Simply deleting files or emptying the recycle bin does not permanently destroy data. Data remnants may be recoverable with forensic tools.
Always use secure deletion methods (overwriting, degaussing, cryptographic erasure) for data disposal, especially for sensitive data.
Setting a retention period without consulting legal or compliance teams.
IT cannot know all legal requirements. Setting the wrong period can lead to non-compliance and fines.
Collaborate with legal/compliance to determine retention periods based on regulations (GDPR, HIPAA, PCI DSS) and business needs.
Believing retention policies protect against ransomware.
Retention policies do not prevent encryption or deletion by attackers. They only automate scheduled deletion. Immutability can protect against malicious deletion, but retention alone is not a security control.
Separate retention from backup and security. Use immutable storage and regular backups to protect against ransomware.
Exam Trap — Don't Get Fooled
{"trap":"A question says: 'An organization needs to keep financial records for 7 years for compliance. They want to minimize storage costs. Which storage tier should they use for the entire 7 years?'
","why_learners_choose_it":"Learners see 'minimize costs' and '7 years' and immediately pick archive tier, because archive is cheapest.","how_to_avoid_it":"Archive tier is cheapest, but it has high retrieval costs and latency. If data is accessed rarely, archive is fine.
However, for the first year, data might be accessed frequently for audits. The best practice is to use lifecycle management: hot tier for first 30 days, cool for next 11 months, archive for remaining 6 years. The question says 'for the entire 7 years', so archive is technically correct, but only if access is extremely rare.
Read the question carefully: if it does not mention access patterns, archive is acceptable for pure compliance storage. But if the question mentions 'monthly access', then archive is wrong. The trap is assuming cost minimization trumps access requirements."
Step-by-Step Breakdown
Identify Data Types
First, classify all data the organization holds: personal data, financial records, health information, system logs, etc. Different types have different legal and business requirements.
Determine Legal and Regulatory Requirements
Consult laws (GDPR, HIPAA, PCI DSS, SOX) and internal policies to find minimum and maximum retention periods for each data type. Document these in a retention schedule.
Design Retention Policy
Create a policy that specifies retention periods, storage locations, access tiers, and disposal methods. The policy must be approved by legal, compliance, and data owners.
Implement Technical Controls
Use lifecycle management in cloud storage, immutability features, backup retention schedules, and archiving scripts. Automate as much as possible to prevent human error.
Enforce and Monitor
Audit retention processes regularly. Ensure that deletions happen on schedule and that legal holds are applied when needed. Log all actions for compliance evidence.
Practical Mini-Lesson
Data retention is something you will encounter in almost every IT role. As a system administrator, you might configure backup retention on a server. As a cloud architect, you set lifecycle policies in Azure or AWS. As a security professional, you ensure that data disposal is secure. The key practical skill is to translate business and legal requirements into technical configurations.
Let us walk through a real example. Suppose a retail company collects customer purchase data. The legal team says that under tax law, purchase records must be kept for 7 years. The marketing team wants to keep anonymized purchase history for 3 years for trend analysis. The security team says that credit card data (even if tokenized) should be purged after 1 year per PCI DSS. How do you implement this? First, classify data: raw purchase records (7-year retention), anonymized purchase history (3-year retention), tokenized card data (1-year retention). Then, in your database, you separate these into different tables or partitions. You write a SQL job that deletes rows older than the retention period. For cloud storage, you use lifecycle rules. For the 7-year data, you set a rule: after 30 days move to cool, after 365 days move to archive, delete after 2555 days (7 years). For the 3-year data, delete after 1095 days. For the 1-year data, delete after 365 days. You also enable immutable storage on the 7-year container to prevent early deletion.
What can go wrong? If the policy is not automated, someone might forget to delete old data. If the retention period is too short, you might lose data needed for a lawsuit. If you delete data without secure disposal, you risk data recovery. If you do not account for legal holds, you could delete data under preservation order, leading to court sanctions. A professional always documents the policy, tests the automated processes, and keeps audit logs. In exams, you are expected to know the tools (like Azure Blob lifecycle management, Amazon S3 lifecycle policies, SQL Server retention policies) and the principles (least privilege, need-to-know, storage limitation).
Memory Tip
Remember 'RAD' for Retention: Regulatory requirement, Access frequency, Disposal method. Three factors drive every retention decision.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
DP-900DP-900 →CISSPCISSP →220-1102CompTIA A+ Core 2 →CS0-003CompTIA CySA+ →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
A/B testing is a controlled experiment that compares two versions of a single variable to determine which one performs better against a predefined metric.
Frequently Asked Questions
Is data retention the same as data backup?
No. Data retention governs how long the original data is kept and when it is deleted. Data backup is about creating copies for recovery, and backup retention determines how long those copies are kept.
Who decides the retention period?
The data owner, in consultation with legal and compliance teams. IT implements the policy, but does not determine the period.
Can data retention help with ransomware?
Indirectly. Immutable storage (preventing deletion during retention) can protect against data being encrypted or deleted by attackers, but retention itself is not a backup strategy.
What happens if data is deleted before the retention period ends?
If done accidentally, you may need to restore from backup. If done intentionally without authorization, it could violate legal holds or compliance obligations. Immutability features prevent early deletion.
Does GDPR require a specific retention period?
No, GDPR requires that data is not kept longer than necessary for the purpose it was collected. The specific period depends on the purpose and legal obligations.
What is the difference between time-based retention and legal hold?
Time-based retention keeps data for a fixed period and then deletes it. Legal hold keeps data indefinitely until the hold is lifted, overriding normal retention policies.
Summary
Data retention is a fundamental governance practice that defines how long data is kept and how it is destroyed. It sits at the intersection of legal compliance, security, and cost management. Organizations must implement retention policies for all data they collect, classifying it by type and applying appropriate retention periods based on regulations like GDPR, HIPAA, and PCI DSS. The technical implementation involves lifecycle management, immutable storage, backup retention schedules, and secure disposal methods.
For IT certification exams, DP-900 focuses on Azure storage features such as lifecycle management and blob immutability. Questions test your ability to choose the correct storage tier and configure retention rules. CISSP emphasizes the policy and governance side, including the data lifecycle, legal holds, and the principle of storage limitation. Common mistakes include confusing retention with backup, thinking retention means keeping forever, and neglecting legal holds. Understanding these distinctions is key to passing the exam.
The takeaway is that data retention is not just about storing data, it is about managing data responsibly. As an IT professional, you will be responsible for implementing these policies correctly. On the exams, think about the business need behind the question: compliance, cost, or protection? That will guide you to the right answer. Always remember that the best retention policy is one that is documented, automated, audited, and aligned with both legal requirements and business objectives.