1. Document Control

• Document Title: Data Retention and Disposal Procedure

• Document Identifier: PRC-ALL-004

• Version Number: v1.0

• Approval Date: <24 June 2025>

• Effective Date: <24 June 2025>

• Review Date: <24 June 2026>

• Document Owner: <Chief Privacy Officer>

• Approved By: <Data Governance Committee>

2. Purpose

The purpose of this procedure is to define the rules and responsibilities for the retention, archival, and secure disposal of data throughout its lifecycle at . This procedure ensures that personal and business data is maintained only as long as legally, contractually, or operationally necessary, and that data is disposed of in a secure and compliant manner when no longer required.

This document supports SOC 2 Privacy Criteria P1.1 and P1.2, which require that organizations (1) identify and retain personal information only as long as necessary to fulfill disclosed purposes, and (2) securely dispose of personal information when it is no longer needed. By enforcing these practices, minimizes privacy risks, supports data minimization principles, reduces liability, and ensures compliance with applicable data protection regulations such as GDPR, CCPA, and others.

3. Scope

This procedure applies to all data—physical or digital—created, received, stored, or processed by . It covers all business units, departments, and data systems, including cloud platforms, third-party applications, databases, file shares, and backup systems.

The scope includes:

• Customer and client personal data

• Employee and HR records

• Financial, contractual, and operational records

• Emails, logs, and digital files

• Archived and backup media

This procedure applies to all staff, contractors, service providers, and affiliates handling data on behalf of .

4. Policy Statement

shall retain data only for as long as is required to fulfill legal, regulatory, contractual, or business purposes. Once data is no longer necessary, it shall be disposed of securely, in a manner that prevents unauthorized recovery or access.

Key requirements include:

• Data retention periods must be defined for each data category.

• Records containing personal or sensitive data shall not be kept longer than necessary.

• Data must be disposed of securely, using industry-standard deletion or destruction methods.

• Data subject to legal holds must be excluded from disposal until holds are lifted.

• Retention and disposal logs shall be maintained for auditability and accountability.

These requirements apply uniformly across physical files, digital storage, backups, and third-party hosted environments.

5. Safeguards

The following technical and procedural controls support secure retention and disposal:

6. Roles and Responsibilities

• Chief Privacy Officer (CPO): Owns the data retention framework and approves all category-level retention schedules. Coordinates cross-functional data governance.

• Information Security Team: Implements technical controls to support secure deletion and logs disposal events for digital assets.

• Department Heads: Classify data within their units, assign data owners, and ensure team-level compliance with retention rules.

• IT Department: Manages data backups, storage systems, and supports deletion activities, including overwriting or secure decommissioning.

• Legal Department: Advises on regulatory and litigation hold requirements.

• Employees: Responsible for classifying and disposing of data in accordance with policy, and reporting any improper retention or disposal practices.

7. Compliance and Exceptions

Compliance will be verified through internal audits, conducted semi-annually by the Data Governance team. Audit focus areas include:

• Conformance to defined retention periods

• Completeness of disposal logs

• Proper execution of secure deletion

• Vendor adherence to contractual terms for retention/disposal

Exceptions to retention schedules require written approval by the CPO and must document business justification and expiration timeline. All exceptions are reviewed annually.

8. Enforcement

Failure to adhere to this procedure may result in:

• Employees: Disciplinary action up to and including termination, particularly for negligent or unauthorized retention/disposal of personal data.

• Contractors/Vendors: Escalation to procurement/legal teams and potential contract termination for non-compliance.

• Organizational Risk: Violations may lead to regulatory penalties, reputational harm, or legal exposure in the event of data breaches or non-compliance audits.

All violations will be logged, investigated, and remediated according to the company’s Incident Response Plan and HR disciplinary framework.

9. Related Policies/Documents

• POL-ALL-015: Data Protection and Privacy Policy

• POL-ALL-014: Information Classification Policy

• PRC-ALL-003: Information Asset Inventory Procedure

• PRC-IT-006: Backup and Restoration Procedure

• SOC 2 Privacy Criteria P1.1, P1.2

• ISO 27001:2022 A.5.12 – A.5.13, A.7.5.3

• NIST 800-88 (Guidelines for Media Sanitization)

10. Review and Maintenance

This procedure shall be reviewed at least annually or in response to:

• Regulatory or legal updates (e.g., new data protection laws)

• Changes in business operations or data storage technologies

• Audit findings or security incidents

The Chief Privacy Officer, with support from Legal, IT, and Data Governance, is responsible for leading this review. Changes will be tracked via formal version control in the document management system and disseminated via compliance communications.