Overview
Data Retention and Disposal is the process of defining, enforcing, and verifying how long company data is retained and how it is securely disposed of when no longer needed. This process ensures logical access to data is limited by minimizing unnecessary data storage in accordance with SOC 2 CC6.5.
Step-by-Step Process
Identify in-scope data repositories
The Engineering Lead identifies all systems that store customer or internal data, including cloud storage, databases, and ad hoc files. The output is a documented list of in-scope repositories with system owners.
Role: Engineering Lead
Define retention requirements
The Engineering Lead reviews contractual, legal, and business requirements to define retention periods for each data type. The output is an approved data retention matrix mapping data types to retention durations.
Role: Engineering Lead
Configure retention mechanisms
The Engineering Lead implements technical controls to enforce retention rules using lifecycle policies, scripts, or manual tracking depending on the system. The output is a configured retention control in each in-scope system.
Role: Engineering Lead
Document disposal method
For each system, the Engineering Lead documents how data is deleted or rendered unrecoverable (e.g., permanent deletion, overwrite). The output is a disposal method description aligned to each repository.
Role: Engineering Lead
Execute annual retention review
Once per year, the Engineering Lead reviews retention configurations and verifies they still match approved requirements. The output is a dated annual review record with noted changes or confirmations.
Role: Engineering Lead
Validate data deletion
The Engineering Lead performs spot checks to confirm expired data has been deleted according to policy. The output is evidence of deletion such as logs, screenshots, or query results.
Role: Engineering Lead
Store evidence for audit
All documentation and proof of retention and disposal are stored in the compliance evidence repository. The output is a complete, audit-ready evidence set for the review period.
Role: Engineering Lead
What You Need Before Starting
- Approved data retention policy
- List of production systems and data stores
- Access to AWS, databases, or file repositories
- Prior year retention review records
Evidence Your Auditor Expects
- Dated data retention matrix approved by Engineering Lead (PDF or doc, with last updated date)
- Screenshot of AWS S3 lifecycle rule showing expiration days and last modified timestamp
- Database script execution log showing deletion job run with date/time
- Annual retention review checklist signed and dated by Engineering Lead
How This Looks In Your Tools
AWS S3 Lifecycle
Log in to the AWS Management Console and navigate to S3 > Buckets. Select the in-scope bucket, then open the Management tab and choose Lifecycle rules.
Click Create lifecycle rule, name the rule (e.g., “Delete objects after 365 days”), and define the scope (prefix or tag if applicable). Under Lifecycle rule actions, select Expire current versions of objects and enter the retention period in days, then save the rule.
Database scripts
Access the database using an approved client (e.g., psql, MySQL Workbench) with administrative credentials. Review existing scheduled jobs or scripts that handle data deletion by checking cron jobs or job schedulers.
If needed, create or update a deletion script that removes records older than the defined retention period. Execute the script in a non-production environment first, then schedule it for production and retain execution logs showing run date and affected rows.
Spreadsheet
Open the approved data retention tracking spreadsheet in the company’s document repository. Ensure columns include system name, data type, retention period, disposal method, and last review date.
Update the spreadsheet during the annual review to confirm retention periods and mark records as disposed where applicable. Save the file with a date-stamped filename and restrict edit access to authorized owners.
Common Audit Findings
- Retention rules not consistently applied
- This occurs when some systems are overlooked during configuration. Prevent it by maintaining an up-to-date inventory of data repositories and reviewing it annually.
- No evidence of data deletion
- Auditors flag this when deletion occurs automatically but is not documented. Prevent it by retaining screenshots, logs, or query outputs that show deletion events with timestamps.
- Retention periods not formally approved
- This happens when teams implement retention based on assumptions. Prevent it by documenting retention requirements and obtaining explicit approval from the Engineering Lead.
- Annual review not performed
- This finding arises when retention controls are set once and never revisited. Prevent it by scheduling a recurring annual review and documenting completion.