Your litigation hold is solid. Your eDiscovery process is documented. But when opposing counsel asks how long you kept a specific category of records, and why, the answer is often “our IT team handles that.”
That answer does not hold up in court. It rarely holds up in a regulatory audit either.
Data retention is a legal obligation, not a storage preference. For in-house counsel, the consequences of getting it wrong range from spoliation sanctions to regulatory fines to failed M&A due diligence. The patchwork of federal, state, and international rules makes this one of the more underestimated compliance risks sitting inside most legal departments right now.
This article gives you the framework to own it.
What Is a Data Retention Policy (and Why It’s a Legal Problem, Not Just an IT One)
A data retention policy defines what data you keep, for how long, where you store it, and how you destroy it when the retention period ends. Most organizations have one. Far fewer have one that was built with legal input.
The gap matters because retention decisions carry legal consequences. Destroy records too early, and you face spoliation claims in litigation or obstruction allegations in regulatory proceedings. Retain records too long, and you create unnecessary exposure: more data in scope for discovery, more personal information subject to privacy law, more liability in a breach.
IT teams think about storage costs and data lifecycle. Legal teams need to think about defensibility. The question is not “what can we delete?” It is “what are we required to keep, for how long, and what happens if we deviate from that schedule?”
Answering that question requires a legal lead, not a systems administrator.
Key US Data Retention Requirements GCs Must Track
There is no single US federal data retention law. What exists is a collection of sector-specific rules, each with its own schedule, each enforced by a different agency.
The Sarbanes-Oxley Act requires public companies to retain audit work papers for seven years and prohibits destruction of documents relevant to an investigation. The IRS recommends keeping tax records for at least three to seven years depending on the filing type. HIPAA requires covered entities to retain medical records for six years from creation or last use. FINRA Rule 4511 mandates broker-dealers retain records for six years in many categories, with some records requiring permanent retention. The Federal Rules of Civil Procedure impose a duty to preserve once litigation is reasonably anticipated, with no fixed timeline, because that obligation is triggered by circumstances, not a calendar.
Layered on top of these are state-level rules. California, New York, Texas, and Illinois each have statutes governing specific document types, from employment records to consumer financial data, with retention schedules that do not always align with federal requirements.
What this means practically: a mid-market company with employees in multiple states, a public securities filing, and HIPAA-adjacent vendor relationships is subject to at least five distinct retention regimes simultaneously. Tracking those requirements as a single coherent policy is the in-house counsel’s job, not a default setting in the document management system.
Global Data Retention Obligations: GDPR, CCPA, and Beyond
If your company operates internationally, data retention becomes structurally more complex.
The GDPR does not specify fixed retention periods for most data categories. Instead, it requires that personal data be kept “no longer than necessary” for the purpose it was collected, the storage limitation principle. That sounds reasonable until you realize it creates a documentation obligation: you must be able to justify every retention decision against a stated, lawful purpose. The UK GDPR follows the same framework post-Brexit.
CCPA compliance imposes disclosure requirements that interact with retention. If you retain consumer data, California residents have the right to know how long you retain each category. If you cannot answer that question in writing, on demand, you are not compliant, regardless of how good your privacy notice looks.
Brazil’s LGPD, Canada’s PIPEDA, and India’s Digital Personal Data Protection Act each add their own wrinkles. Retention periods that comply with GDPR may not satisfy Brazilian financial regulation. Deletion timelines that satisfy CCPA may conflict with HIPAA’s minimum retention floors.
For GCs managing overlapping AI and data governance obligations, particularly where AI systems are trained on retained data, the compliance picture gets more layered still. We covered the cross-border complexity of AI governance separately in our EU AI Act guide for General Counsels.
The core principle across all of these frameworks is the same: retention decisions must be intentional, documented, and defensible. Accidental compliance is not compliance.
Building a Defensible Data Retention Program In-House
A defensible retention program has four components. Most in-house teams have two of them.
First, a data map. You cannot create a retention schedule for data you have not located. This means working with IT, HR, finance, and product teams to catalogue where data lives across structured databases, email archives, collaboration tools, third-party SaaS platforms, and physical records.
Second, a legally grounded retention schedule. This is where legal operations intersects directly with legal substance. Each data category needs a retention period tied to the longest applicable legal requirement, not the shortest, not the most convenient. The schedule should be reviewed annually and updated when regulatory changes occur.
Third, a litigation hold process that integrates with the retention schedule. When litigation is anticipated, automated deletion must stop for relevant data categories. That requires a connection between your legal team and your IT infrastructure that most companies have not built. Failing here is how organizations end up with spoliation issues even when they have a retention policy.
Fourth, documented destruction. Deleting data without a record of what was deleted, when, and under what authority creates its own risk. Destruction logs are discovery targets too.
The operational complexity of building this properly is why some legal departments treat it as a legal ops function rather than a one-time compliance project. That framing is right. Thinking about how to structure internal oversight for this kind of ongoing compliance work is something we addressed when we wrote about building a modular legal department.
When to Bring in Outside Support for Data Retention Compliance
There are three situations where in-house teams consistently benefit from external legal support on data retention.
The first is a multi-jurisdiction audit or regulatory inquiry. When a regulator asks for records and your retention schedule has gaps, you need lawyers who understand both the substantive law and the enforcement context, not just the policy document your IT team drafted.
The second is a program build from scratch. If your company has grown quickly, entered new markets, or recently acquired another business, your retention infrastructure probably does not reflect your current legal exposure. Building it correctly requires outside expertise, at least at the design stage.
The third is ongoing monitoring. Retention law changes. CCPA amendments, SEC rulemaking, and new state privacy statutes all affect retention obligations. Maintaining current awareness across jurisdictions is a continuous workload, not a one-time project.
LawFlex deploys compliance lawyers experienced in data privacy and regulatory obligations, matched to your specific jurisdictions and industries, without a long-term contract. For GCs who need to operationalize compliance support quickly, the model provides specialist capacity without adding headcount.
For GCs considering how to structure that kind of ongoing support, the GC Playbook for Managed Legal Services is a useful starting point.
FAQ: Data Retention Laws for In-House Counsel
How long do companies need to retain employee records under US law?
It varies by record type and jurisdiction. EEOC regulations require most employment records to be retained for one year from creation or the date of a personnel action, whichever is later. FLSA requires payroll records for three years. ERISA imposes a six-year retention period for plan records. State employment laws may require longer. A compliant schedule maps each record category to the longest applicable requirement.
What happens if a company deletes data it was required to retain?
The consequences depend on context. In litigation, destroying records after a hold should have been issued can result in spoliation sanctions: adverse inference instructions, exclusion of evidence, or monetary penalties. In a regulatory context, premature destruction can constitute obstruction. Under HIPAA, improper disposal carries separate civil penalties. The risk is not theoretical.
Does GDPR require companies to delete data, or retain it?
Both, depending on the situation. GDPR’s storage limitation principle requires that personal data not be kept longer than necessary for the original purpose. But other laws, including HIPAA, tax statutes, and financial regulations, may require retention of that same data for years. The tension between deletion obligations and retention mandates is one of the more practical compliance challenges for GCs with cross-border operations. Your retention schedule needs to resolve that conflict explicitly, not ignore it.
What is a litigation hold and how does it interact with a retention policy?
A litigation hold is a directive to preserve potentially relevant information when litigation is reasonably anticipated. It overrides your retention schedule, meaning data that would otherwise be deleted must be preserved. The hold must be communicated clearly to custodians, and the preservation must be verified. In-house teams that automate deletion without integrating litigation hold triggers into that automation create significant eDiscovery exposure.
When should a GC involve outside counsel for data retention issues?
Outside support is warranted when your retention obligations span multiple jurisdictions with conflicting requirements, when you are building a retention program from scratch after rapid growth or an acquisition, or when a regulatory inquiry puts your existing practices under scrutiny. Specialist compliance outsourcing is often more cost-effective than general outside counsel for this kind of structured, ongoing work.
