Data Retention Period Calculator
Determine the minimum required data retention period based on data category, applicable regulations, jurisdiction, and business requirements. The result reflects the longest mandatory retention window across all selected criteria.
Enter the number of years your organisation needs the data for operational purposes.
Formula
Recommended Retention Period =
MAX(Regulatory Minimum, Business Need) + Litigation Hold Buffer + Sensitive Data Adder
- Regulatory Minimum — the legally mandated minimum retention period for the selected data type and jurisdiction (see matrix below).
- Business Need — the number of years the organisation operationally requires the data.
- MAX() — the longer of the two values above forms the base; you must never retain less than the legal minimum, but may retain longer for legitimate business purposes.
- Litigation Hold Buffer — 0 years (no risk), +2 years (possible dispute), or +5 years (active litigation) to protect against spoliation claims.
- Sensitive Data Adder — +2 years when the dataset contains special-category or sensitive personal data, reflecting heightened regulatory scrutiny and potential for extended claims.
Example: Financial records under GDPR with 3-year business need, possible litigation, no sensitive data:
MAX(7, 3) + 2 + 0 = 9 years
Assumptions & References
- GDPR Art. 5(1)(e) — storage limitation principle; personal data must not be kept longer than necessary. Financial/HR records typically 6–7 years under EU member-state tax law.
- HIPAA 45 CFR §164.530(j) — covered entities must retain policies and documentation for 6 years from creation or last effective date.
- SOX Section 802 (18 U.S.C. §1519) — audit workpapers and related records: 7 years minimum.
- PCI-DSS Requirement 10.7 — audit log history retained for at least 12 months, with 3 months immediately available.
- CCPA / CPRA — no explicit retention periods mandated, but data minimisation principles apply; 2–4 years reflects common practice.
- UK Companies Act 2006 s.386–389 — accounting records: 3 years (private) or 6 years (public companies).
- PIPEDA / Canadian Privacy Act — personal information used to make a decision about an individual must be retained long enough to allow the individual to access it (typically 1–7 years depending on sector).
- Australian Privacy Act 1988 (APPs) — no universal minimum, but tax records 5 years, employment records 7 years under Fair Work Act 2009.
- Litigation hold buffers are based on typical statutes of limitations: 2–6 years for contract claims in most common-law jurisdictions.
- Sensitive data adder reflects GDPR Art. 9, HIPAA PHI rules, and the higher risk of regulatory investigation and individual claims associated with special-category data.
- Retention periods are measured from the end of the relationship or last transaction, not from data creation, unless otherwise specified by the regulation.
- This tool does not constitute legal advice. Consult a qualified data protection officer (DPO) or legal counsel for binding guidance.