P4.2 SOC 2

SOC 2 P4.2: Privacy - Retention of Personal Information

What This Control Requires

The entity retains personal information consistent with the entity's objectives related to privacy. Personal information is retained for no longer than necessary to fulfill the stated purposes, unless otherwise required by law or regulation.

In Plain Language

Every piece of personal data sitting in your systems is a liability. The longer you keep it, the larger your breach surface and the harder your compliance obligations become. Auditors want to see that you are not hoarding data "just in case." In practice, you need defined retention periods for every category of personal information, automated enforcement of those periods, and regular purging of data that has outlived its purpose. This sounds straightforward, but the devil is in the details - personal data lives in production databases, backups, analytics systems, email inboxes, file shares, and third-party services. A retention policy that only covers your primary database misses the point. During a SOC 2 privacy audit, assessors check that retention periods exist and are documented, that they match what your privacy notice promises, that enforcement mechanisms actually work, and that data is genuinely being deleted or anonymised when the clock runs out. "We have a policy" without evidence of execution is a finding.

How to Implement

Define retention periods for every category of personal information. Factor in legal minimums (some regulations mandate how long you must keep certain records), contractual obligations, genuine business necessity, and the privacy principle of keeping data for the shortest useful period. Document the rationale for each period and get sign-off from legal and privacy stakeholders. Build a retention schedule that maps each data category to its retention period, the trigger that starts the clock (account closure, contract end, collection date), the disposal method, and who is responsible. Make this schedule accessible to all teams that handle personal data. Automate enforcement wherever possible. Configure your databases and applications to flag or delete records past their retention period. Use data lifecycle management tooling that works across multiple systems. For data that cannot be automatically purged, schedule regular manual reviews and assign clear ownership. Address every location where personal data lives. Production databases are the easy part. What about backups, staging environments, analytics warehouses, email archives, shared drives, and third-party SaaS tools? Map them all and extend your retention enforcement to each one. Backups are the most commonly overlooked. Consider anonymisation as an alternative to deletion. If historical data has analytical value, strip out personal identifiers instead of deleting entire records. But verify that the anonymised data cannot be re-identified by combining it with other data sources - pseudo-anonymisation is not the same as true anonymisation. Audit your own compliance regularly. Check that data past its retention period is actually being disposed of across all systems. Look for orphaned data in decommissioned systems, old backups, and forgotten third-party accounts. Document findings and fix gaps promptly.

Evidence Your Auditor Will Request

Retention schedule defining periods for each category of personal information with rationale
Automated retention enforcement configurations showing data lifecycle management
Evidence of regular data purging or anonymization for data exceeding retention periods
Retention compliance audit results showing enforcement across all data locations
Records of personal data disposal activities including method and verification

Common Mistakes

No defined retention periods for personal information, leading to indefinite retention
Retention periods are defined but not enforced through automated or manual processes
Personal data persists in backups, test environments, or third-party systems beyond retention periods
Retention periods are not communicated in the privacy notice or are inconsistent with stated periods
No retention compliance audits are conducted to verify data is being properly disposed of

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Partial overlap
ISO 27001	A.8.10	Related

Frequently Asked Questions

How do we handle retention for data in backups?

Backups are typically governed by your backup retention policy rather than your data retention policy. Document in your retention policy that deleted data may persist in backups for the backup retention period (say, 90 days) after being removed from production. Keep backup retention periods reasonable and ensure old backups are eventually cycled out. Under GDPR, this approach is generally accepted as pragmatic and proportionate.

What retention period should we use when no specific regulation applies?

Base it on business necessity and data minimisation. Common sense defaults: keep active customer data for the duration of the relationship plus a short grace period (30 to 90 days), retain transactional data for two to three years for business and accounting purposes, and delete or anonymise anything without an ongoing legitimate purpose. If you cannot articulate why you still need specific data, you probably do not.

Should we delete data when a user closes their account?

In most cases, yes. Delete personal data that no longer serves a legitimate purpose. Keep what the law requires you to keep - financial records, tax data, anything with a regulatory mandate - for the legally required period. Anonymise anything needed for analytics. Communicate your deletion timeline clearly in your privacy notice and be prepared to honour deletion requests promptly. Most users expect their data to be gone when they close an account.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment