Skip to content
Intro
7 min

Data Retention: What to Keep and Why

Holding onto data you don't need is a liability, not a safety net. Here's how to decide what stays and what goes.

Last updated: March 20, 2026

Your inbox has emails from 2009. Your Google Drive has a folder called "Old Clients" that's 4GB. Your server still has records from customers who moved away a decade ago.

You're keeping all of it because "you never know."

Here's what you don't know: every piece of data you keep is something you can be forced to produce in a lawsuit. Every record you keep is something that can be stolen in a breach. Every file you don't delete is pure liability with no upside.

What this solves (in real business terms)

A data retention policy answers three questions:

  1. What do we keep?
  2. How long do we keep it?
  3. How do we delete it when the time comes?

Without this, you're either keeping everything (expensive, risky) or deleting randomly (potentially illegal). Neither is a strategy.

What can go wrong

The "gotcha" in discovery. You get sued over a contract dispute from 2018. Your opposing counsel sends a preservation demand. If you've been automatically deleting emails for 3 years, you're fine. If you've been keeping everything, you now have to produce 6 years of emails, and your own records will contain the worst possible interpretation of everything you ever wrote.

GDPR right to erasure. If a European customer asks you to delete their data, you have 30 days. If you don't know where their data is (because you never organized it), you either miss the deadline or lie about compliance. Either outcome is bad.

The breach amplification effect. Home Depot's 2014 breach exposed 56 million payment card numbers. A significant portion of the liability came from data they held longer than necessary. The more you keep, the bigger the target.

IRS doesn't care about your system. The IRS has 3 years to audit a return—or 6 years if they think you underreported income by more than 25%. If you've deleted your 2020 records because "we moved to QuickBooks Online," you have a problem.

What it costs (honest ranges)

| What | What you'll pay | |------|----------------| | DIY retention schedule based on regulations | $0 | | Retention policy template (SBA, Nolo) | $0–$50 | | Software to automate deletion (Google Vault, Microsoft Compliance) | $5–$15/user/month | | Cloud backup with legal hold | $500–$3,000/year | | Consultant to build your schedule | $1,500–$5,000 (one-time) |

What to actually keep

Federal tax records: 7 years from filing date (keep W-2s, 1099s, expense receipts) Employment records: 4 years for most; 7 years for OSHA, ERISA Customer contracts: 7 years after contract ends Customer PII: Only as long as you have an active relationship + 2 years Emails: 90 days for most; 3 years for anything related to contracts, legal, HR Website logs: 90 days Credit card receipts: 18 months (longer if disputed)

Delete everything older than these windows—except if you're in active litigation or a government investigation.

Minimum viable implementation

  1. Write down what you have. Physical, digital, cloud. Every system that stores business data.

  2. Apply a retention schedule. Use the chart above. If you're in a regulated industry (legal, medical, government contracting), add industry-specific requirements.

  3. Enable auto-deletion. Set Google Workspace/Microsoft 365 to purge email older than 90 days. Turn on log rotation. Enable transaction record purging in your POS system.

  4. Tag contracts with end dates. Create a calendar reminder 7 years after each contract expires to delete associated records.

  5. Handle legal holds manually. When litigation is pending (or even reasonably anticipated), stop all automatic deletion for relevant records. This is non-negotiable.

  6. Document everything. Your retention policy is: the schedule + what you actually do. They need to match.

Vendor questions (copy/paste)

  1. "Can we set retention periods by data type or location, not just globally?"

  2. "What happens to data when the retention period expires? Is it permanently deleted or just marked for deletion?"

  3. "Does your tool support legal holds—can we preserve data even if it's past its retention date?"

  4. "How do we verify deletion happened? Can we generate an audit report?"

  5. "Does deletion work across all connected systems, or only the primary storage location?"

When to hire help

Hire help if:

  • You're in a regulated industry with specific retention requirements (healthcare: HIPAA; finance: SEC/FINRA; legal: bar association rules)
  • You've been acquired, merged, or are going through litigation
  • You have data in more than 10 separate systems with no central management
  • Your backups contain data older than 7 years (which most do—fix that)

Related Reading

7 min · Intro

Accessibility Basics: Why It Matters for Your Business

Your website probably isn't accessible. Here's what that actually costs you—and how to fix it.

6 min · Intro

Data Classification for Small Business

You can't protect everything the same way. Here's how to sort your data so you know what's actually at risk.

8 min · Intro

Data Processing Agreements: What They Mean in Practice

Every SaaS tool that touches customer data should have a DPA with you. Most don't—until you ask.

8 min · Intro

Handling Customer Data Safely in SMB Apps

Your Shopify store and Mailchimp account have customer data right now. Here's how to not lose it.

8 min · Intro

Breach Notification: Who Needs to Know and When

Most SMBs find out about a breach from their customers—not their tools. Here's how to flip that equation.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch