What should we do when two departments have conflicting retention schedules for the same personal data?
When two departments assign different retention periods to the same personal data, the conflict is usually a sign that the record series, its legal basis, or its ownership has not been clearly defined. The goal is not to pick the more convenient schedule, but to determine which period the organization is actually obligated to follow.
Start with the legal and regulatory floor
Retention conflicts are resolved by hierarchy, not by negotiation. Work through the requirements in order:
- Statutory and regulatory mandates come first. If a law or rule sets a minimum retention period for that data, no department may delete it sooner.
- Litigation or audit holds override any schedule. If the data is under a preservation obligation, retention is suspended until the hold lifts.
- Approved organizational schedules apply where the law is silent.
When two valid requirements both apply to the same data, the longest applicable retention period generally controls, because meeting the longer period also satisfies the shorter one.
Identify the authoritative record copy
Often the “conflict” exists because each department treats its own working file as the record. Determine which copy is the official record and which are convenience or reference copies. Reference copies can frequently be disposed of on a shorter cycle once the authoritative copy is preserved, which dissolves much of the apparent conflict.
Balance retention against privacy obligations
Personal data carries a competing pressure: privacy principles favor keeping it only as long as necessary. Holding personal data longer than required increases exposure and may conflict with data minimization expectations. So the resolution must satisfy the binding retention floor while avoiding indefinite retention “just in case.” Document the specific legal or business reason for the period you select.
Decide, document, and reconcile the schedule
Convene the affected departments with records management and, where relevant, legal and privacy officers. Agree on a single retention rule for that data series, update the retention schedule so both departments reference the same authority, and record the rationale for future audits. A single, documented schedule prevents the conflict from recurring.
For related guidance, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Privacy Act of 1974 — U.S. Department of Justice
- Records management policy and guidance — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). What should we do when two departments have conflicting retention schedules for the same personal data?. Records Management University. https://www.recordsmgmt.org/questions/what-to-do-conflicting-retention-schedules-for-same-personal-data/
MLA
RM University Editorial. "What should we do when two departments have conflicting retention schedules for the same personal data?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-to-do-conflicting-retention-schedules-for-same-personal-data/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?