Who in my organization is responsible for deciding how long we keep personal data?
Deciding how long an organization keeps personal data is rarely the job of a single person. In practice it is a shared responsibility, with different roles contributing the legal requirements, the business judgment, and the formal sign-off. The result is captured in a records retention schedule — the authoritative document that says what records (including those containing personal data) are kept, for how long, and how they are disposed of.
Who typically holds the pieces
- Records or information governance manager. Usually owns the retention schedule itself — drafting it, maintaining it, and coordinating input from other functions. This is often the day-to-day “decider” who turns requirements into specific retention periods.
- Legal counsel. Identifies the laws, regulations, and contractual obligations that set minimum (and sometimes maximum) retention periods, and places or releases legal holds that override normal disposal.
- Privacy officer or data protection lead. Applies privacy principles such as data minimization and storage limitation — the idea that personal data should not be kept longer than necessary for its purpose.
- Business and program owners. Provide the operational reason a record exists and how long it has business value.
- IT or security. Implements retention and deletion in the systems where the data actually lives.
Who is ultimately accountable
The decision belongs to the function, but accountability sits with senior leadership. A records management program is typically established under executive authority and a governing policy, and that policy is what gives the retention schedule its force. So while a records manager may set the period and legal may validate it, the organization’s leadership formally approves and stands behind the schedule.
How to find out in your organization
Start by asking three questions: Do we have a records retention schedule? Who is named as its owner or approver? Is there a privacy or data protection officer? If a designated role exists, that person can tell you the retention period for a specific category of personal data and the legal basis behind it. If no schedule exists, that gap is itself the finding — and a reason to establish clear ownership.
For more on managing personal information responsibly, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Records management policy and guidance — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). Who in my organization is responsible for deciding how long we keep personal data?. Records Management University. https://www.recordsmgmt.org/questions/who-decides-how-long-to-keep-personal-data/
MLA
RM University Editorial. "Who in my organization is responsible for deciding how long we keep personal data?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-decides-how-long-to-keep-personal-data/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?