In a recent survey we conducted, 48% of respondents identified data retention and deletion policies as one of the biggest data compliance challenges they currently face. While this may suggest uncertainty around policy design, the reality for many organisations is different.
Most organisations already have retention and deletion policies in place. The real challenge lies in ensuring those policies are supported by clear, repeatable processes that make them effective in practice.
Under regulations such as the GDPR, organisations are required not only to define how long personal data is retained, but to ensure it is deleted when it is no longer necessary. Having a policy alone is not sufficient — organisations must be able to demonstrate how that policy is implemented and enforced.
Policy vs Process: An Important Distinction
- A retention policy sets out what should happen and why.
- A process or procedure explains how it actually happens.
Without documented procedures, retention policies risk becoming theoretical. This gap often emerges during audits, regulatory enquiries, or data subject access requests, when organisations are asked to evidence how data is deleted in line with stated timeframes.
A Common Example: Email Retention
Email is one of the most common areas where policy and process diverge.
An organisation may have a policy stating that emails are deleted after six months. However, key operational questions are often left unanswered:
- Is there an automated deletion schedule in place?
- Does it apply to archived emails, shared mailboxes, and backups?
- Who owns and reviews the retention settings?
- How are legal holds managed and lifted?
- Is deletion logged and auditable?
Without a defined process, emails may be retained indefinitely, increasing both compliance risk and data exposure.
Why Process Matters for GDPR Compliance
The GDPR places emphasis on accountability and demonstrability. Organisations must be able to show that retention limits are enforced consistently across systems and data types.
This requires:
- Clear ownership of retention and deletion activities
- Technical controls aligned to policy
- Documented procedures for exceptions such as legal holds
- Evidence that deletion actions are carried out as intended
Where these elements are missing, organisations may believe they are compliant while unknowingly retaining personal data beyond permitted periods.
Moving Beyond Policy-Only Compliance
The survey results highlight that retention and deletion remain challenging not because policies are absent, but because execution is complex, but it doesn’t need to be.
Effective data retention compliance requires policy and process to work together. Policies define intent, but procedures, systems, and accountability are what turn that intent into consistent, defensible practice.
For organisations looking to strengthen their GDPR compliance posture, the focus should be not just on what the policy says — but on how it is carried out, monitored, and evidenced every day.
The ProvePrivacy platform has been developed to provide key features to help organisations manage, monitor and evidence data protection compliance. This includes a retention schedule to help manage the process of data retention. Book a demo to see the ProvePrivacy platform in action.
