What is the purpose of a data retention policy?

A data retention policy defines how long different types of data must be kept and when they must be destroyed. Retention periods are driven by legal and regulatory requirements, business needs, and contractual obligations. Keeping data longer than necessary increases storage costs, breach exposure, and legal discovery obligations. Destroying data too soon can violate retention regulations and destroy evidence needed for litigation. The policy must address all data formats including electronic files, emails, backups, and paper records.