What should we do if we find personal data kept years past its retention period during an inventory?
Finding personal data kept long past its retention period is common during an inventory, and it is a meaningful risk: data that no longer serves a business or legal purpose still carries privacy, security, and discovery exposure. The goal is to resolve it deliberately, not to delete on the spot.
Stop, document, and confirm the record
Do not immediately destroy anything. First, capture what you found: the system or location, the type of personal data, the volume, who owns it, and the retention rule that appears to apply. Confirm which records schedule and retention period actually govern the data. What looks “overdue” may be subject to a different category, a longer legal requirement, or an obligation you have not yet identified.
Check for any hold or active obligation
Before disposition, verify there is no legal hold, audit, investigation, open request, or pending litigation that requires preservation. A litigation hold or similar duty overrides routine destruction. Also confirm no statutory or regulatory minimum still applies. Disposing of data that should have been kept can be as serious as keeping data too long.
Authorize disposition through normal channels
If the data is genuinely past its approved retention and no hold applies, dispose of it using your organization’s documented disposition process, with the required approvals and a destruction log. For personal data, ensure the method is secure and irreversible (for example, certified shredding for paper or sanitization for electronic media), and that backups and copies are addressed, not just the primary system.
Treat it as a signal, not a one-off
Over-retention usually points to a process gap. Note whether the schedule was unclear, disposition never ran, or ownership was undefined. Feeding these findings back into your retention schedule and routine disposition workflow is how you uphold data minimization and keep the problem from recurring.
Escalate when sensitivity is high
If the data is especially sensitive (such as Social Security numbers, health, or financial records) or if you suspect it may have been improperly accessed, involve your privacy officer, legal, and security teams promptly. Frameworks like the NIST Privacy Framework treat minimizing unnecessary data as a core safeguard.
For related guidance, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Privacy Act of 1974 — U.S. Department of Justice
How to cite this page
APA
RM University Editorial. (2026). What should we do if we find personal data kept years past its retention period during an inventory?. Records Management University. https://www.recordsmgmt.org/questions/what-to-do-found-pii-past-retention-period-during-inventory/
MLA
RM University Editorial. "What should we do if we find personal data kept years past its retention period during an inventory?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-to-do-found-pii-past-retention-period-during-inventory/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?