Skip to content

Data Retention Laws and Regulations

Data retention is not just about cleaning up a Confluence space but it helps your organization stay compliant against the growing number of laws and regulations around data practices. Laws and regulations related to data retention policies vary depending on the country, industry, and the type of data being handled. The following are some (not exhaustive) of the largest regulations, acts, and laws that apply to data retention policies.


It's important for your organization to carefully review the relevant laws and regulations applicable to their specific circumstances and seek legal advice to ensure compliance with data retention requirements. Failure to comply with these regulations can result in significant penalties, fines, and reputation damage.

General Data Protection Regulation (GDPR)
GDPR is a European Union regulation that governs the protection of personal data of EU citizens. It mandates strict requirements for the collection, storage, and processing of personal data, including specific provisions regarding data retention periods and purposes. While GDPR does not set a strict retention period, it specifies that organizations are obliged to publish and enforce retention policies.
California Consumer Privacy Act (CCPA)
CCPA is a state-level privacy law in California, USA, which grants California residents certain rights over their personal information held by businesses. It includes requirements for businesses to disclose data retention practices and allow consumers to request deletion of their personal data.
ISO/IEC 27001
The International Organization for Standardization ISO/IEC 27001 framework is an international standard requiring organizations to adhere to maintain data logs for a minimum of three years to ensure data security and mitigate potential regulatory penalties. Additional requirements include strict data access control, data disposal including the use of encryption, shredding, or other secure deletion methods (such as Retention Manager for Confluence). Data retention policies under ISO/IEC 27001 should clearly define the purposes for which data is collected and retained and ensure that data is not retained beyond what is necessary for those purposes. Additionally in ISO/IEC 27001 data retention policies should be subject to regular review and audit to assess compliance with policy requirements and identify areas for improvement.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a US federal law that sets standards for the protection of sensitive patient health information (PHI). HIPAA includes provisions for data retention and disposal of PHI by covered entities such as healthcare providers and health insurers. While HIPAA does not define a strict data retention period, it specifies a minimum retention period of six years for communications containing PHI.
Sarbanes-Oxley Act (SOX)
SOX is a US federal law aimed at improving corporate governance and financial reporting transparency. It includes requirements for the retention of financial records and communications, including electronic records, to ensure accountability and prevent fraud. Within SOX are differentiated retention period requirements based on the data type itself. Typically accounting ledgers must be retained for seven years, invoices require five years of retention, and payroll or bank records require indefinite retention.
Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) requires a data retention period of three years for contractors and federal agencies of the United States Government.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a set of security standards designed to ensure the secure handling of credit card information by businesses that process, store, or transmit payment card data. It includes requirements for data retention and secure disposal of cardholder data. PCI DSS Requirement 3.1 for example, defines an appropriate retention and disposal period to limit the storage of consumer payment data only to the extent needed for legal, regulatory, or business justifications and that post-authorization storage of sensitive authentication data is prohibited.
Electronic Communications Privacy Act (ECPA)
ECPA is a US federal law that governs the privacy of electronic communications, including email and electronic records. It includes provisions related to data retention and disclosure of electronic communications by service providers.
Children's Online Privacy Protection Act (COPPA)
COPPA is a US federal law that imposes requirements on websites and online services that collect personal information from children under the age of 13. It includes provisions for data retention and parental consent.
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, SI-12, recommends organizations "manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." Under NIST, organizations should set retention policies to content under NIST that extends through the lifecycle of the data or product itself.
Data Protection Laws of Other Jurisdictions
In addition to the above, companies may need to comply with various data protection laws and regulations in other jurisdictions where they operate or where their customers are located. For example, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and the Personal Data Protection Act (PDPA) in Singapore.


If your organization falls into an industry or does business with an organization in public utilities, banking, government, finance, or health care, you are more likely required to publish and strictly enforce a data retention policy and deploy a service such as Contention Retention Manager for Confluence.