How Long to Keep Data? How to Delete It? Cloud Compliance Retention and Defensible Disposal
Last year, a client faced a compliance audit. The auditor asked: “You have user logs from three years ago. Your retention policy says logs should be deleted after three years. Why are they still here?”
The client’s answer: “We don’t have an automated deletion process. We’re afraid of deleting the wrong data.”
They weren’t keeping the data because they needed it. They were keeping it because they didn’t know how to delete it safely. They received a formal finding.
This is the compliance dilemma that too many organisations face: keeping data is a cost; being unable to delete it is a risk; not knowing how to prove deletion is a liability.
Today, let’s talk about data retention and defensible disposal in the cloud. Not the “data is important” fluff, but a practical guide: how long to keep data, how to delete it, and how to prove that you deleted it.
01 Retention Period: Longer Is Not Safer
Many people assume keeping data forever is harmless. That’s a dangerous misconception.
Keeping data beyond its required retention period is a compliance risk. Auditors will ask: “Why haven’t you deleted it?”
Storing data costs money – not just storage, but also protection, encryption, access controls.
Data volume grows, and so does your monthly bill.
Common retention requirements:
| Regulation / scenario | Retention period | Notes |
|---|---|---|
| MLPS 2.0 (China) | ≥6 months | Log retention |
| GDPR | As needed | Delete when no longer necessary |
| Financial services | 5‑7 years | Transaction records, contracts |
| Healthcare | 5‑10 years | Patient records, images |
| E‑commerce orders | 2‑3 years | Customer disputes, warranty |
That client’s policy said “logs deleted after 3 years.” But they had no automated deletion. Manual deletion felt risky, so they kept everything. The auditor’s question was unanswerable.
02 How to Set Retention Periods – Three Inputs
Retention periods aren’t chosen by engineers in isolation. They come from three sources.
Regulatory requirements: MLPS, GDPR, industry‑specific rules. These set the floor. You cannot keep data for less than this.
Business needs: How far back does customer support need to see orders? How long does finance need for audits? This sets the actual required period.
Cost‑benefit trade‑off: Longer retention costs more. Keep critical data longer; keep non‑critical data shorter.
That client revised their policy: orders kept for 3 years (customer disputes), logs kept for 6 months (MLPS requirement). After the retention period, data automatically moved to cold archive and then to deletion.
03 Defensible Disposal: More Than Pressing Delete
Compliant deletion isn’t just “remove the pointer.” It has three requirements:
Irreversible: Data cannot be recovered. A normal delete often just marks space as free; the underlying data may still be readable.
Provable: You must be able to prove to an auditor that the data was deleted, when, and who authorised it.
No residual copies: All copies must be deleted – backups, replicas, cross‑region copies, snapshots.
Deletion methods in the cloud:
Logical deletion: Mark data as deleted, but the bits remain. Suitable for non‑sensitive data where recovery might be needed.
Cryptographic deletion: Delete the encryption key. The encrypted data becomes unreadable. Fast and auditable. Good for sensitive data.
Physical destruction: The cloud provider destroys the physical media (degaussing, shredding). You don’t perform this yourself, but you can request a certificate of destruction.
That client enabled S3 Object Lock to prevent deletion during the retention period. After the retention period, a lifecycle policy automatically deleted the objects. Every deletion was logged in CloudTrail. Monthly deletion reports were exported and archived.
04 Proving Deletion: The Evidence You Must Keep
Auditors don’t just ask “did you delete it?” They ask “show me the proof.”
What evidence to keep:
Deletion logs: Who deleted what, when (CloudTrail, audit logs)
Authorisation records: Approval from the data owner or compliance team (ticket system)
Certificate of destruction: For physical media, a statement from the cloud provider
Compliance reports: Regular exports of deletion activity
Tools:
AWS CloudTrail for API call logs
AWS Config for resource configuration history
S3 Object Lock for retention enforcement
Ticketing systems (ServiceNow, Jira) for approval trails
After the audit finding, that client implemented a deletion workflow: a ticket was raised, approved by the data owner, and the deletion was executed by an automated process. Every step was logged. The next audit passed without issue.
05 Automate Retention and Deletion with Lifecycle Policies
Relying on humans to remember deletion dates is a recipe for failure. Automate it.
Object storage (S3 / OSS) lifecycle policies:
30 days after creation → move to Infrequent Access
180 days → move to Archive / Glacier
365 days → delete permanently
Database partitioning:
Partition by date. Old partitions can be detached, archived, and dropped automatically.
Log services:
Set a retention period. The service automatically deletes logs after that period.
That client used S3 lifecycle policies: logs were automatically deleted after 6 months. No human intervention. Every deletion was logged. The compliance team exported the deletion report monthly.
06 A Real Story: The Certificate of Destruction That Saved an Audit
A financial client was required to retain transaction data for 7 years, then destroy it. They used S3 Object Lock to enforce retention. After 7 years, the objects were automatically deleted.
But the auditor asked for proof of destruction – not just logs that a delete API was called, but evidence that the data could not be recovered.
AWS provides a “certificate of destruction” as part of its compliance reports. The client downloaded the report, which confirmed that the underlying storage media had been physically destroyed after the retention period. The auditor accepted it.
The data owner said: “We used to be afraid of deletion. Now we’re not. It’s automated, logged, and provable.”
The Bottom Line
Data retention and deletion is not a technical problem. It’s a governance problem.
That client’s data owner later said: “I used to think keeping data was safest. Now I know – keeping data past its expiration is a risk. Deleting it without proof is as good as not deleting it.”
Your data – how long are you keeping it? Have you deleted what’s expired? Can you prove it? If you can’t answer, start today.
