What does control A.1.4.8 require?
The organisation shall not retain PII for longer than is necessary for the purposes for which the PII is processed.
This control sits within the PII minimization objective (A.1.4) and addresses the time dimension of data minimisation. While A.1.4.2 Limit Collection limits what you collect and A.1.4.3 Limit Processing limits what you do with it, A.1.4.8 limits how long you keep it. Together, these controls form a complete minimisation framework.
What does the implementation guidance say?
Annex B (section B.1.4.8) provides the following guidance:
- Define retention periods — For each category of PII, define retention periods based on the processing purpose and any applicable legal requirements (such as tax record retention, employment law or sector-specific regulations)
- Implement retention schedules — Create and maintain formal retention schedules that specify the retention period, the trigger event (e.g. end of contract, end of service) and the action to be taken at expiry (deletion or de-identification)
- Review stored PII periodically — Regularly review stored PII against retention schedules to identify data that should have been disposed of or is approaching its retention limit
- Communicate retention periods — Inform PII principals of the retention periods for their data, typically through privacy notices, supporting the transparency requirements of A.1.3.3 Information for PII Principals
Retention management is not a one-time exercise. It requires ongoing governance to ensure that schedules are followed, exceptions are justified and new categories of PII are brought into scope as processing activities evolve.
How does this map to GDPR?
Control A.1.4.8 maps to the following GDPR transparency provisions:
- Article 13(2)(a) — Requires the controller to inform data subjects about the period for which personal data will be stored, or the criteria used to determine that period, at the time of collection
- Article 14(2)(a) — The same requirement for data obtained indirectly (not from the data subject)
The GDPR storage limitation principle in Article 5(1)(e) is the primary mapping for this control, with the transparency provisions supporting the requirement to communicate retention periods to individuals.
How does this relate to ISO 29100 privacy principles?
This control directly supports the ISO 29100 principle of Use, retention and disclosure limitation, which requires that PII be retained only as long as necessary to fulfil the stated purposes. The principle also requires that retention periods be defined based on the applicable purpose and communicated to PII principals.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.1.4.8, auditors will typically look for:
- Retention schedule — A formal document listing each category of PII, its defined retention period, the trigger event, the legal basis for the period (if applicable) and the disposal action
- Review records — Evidence of periodic reviews of stored PII against the retention schedule, with documented outcomes and any corrective actions
- Disposal evidence — Records showing that PII has been disposed of when its retention period expired, linking to A.1.4.9 disposal procedures
- Exception register — Documentation of any PII retained beyond its scheduled period, with justification (e.g. legal hold, ongoing dispute, regulatory investigation)
- Privacy notice content — Evidence that retention periods or criteria are communicated to PII principals through privacy notices
- System configurations — Technical settings that enforce or support retention periods (auto-archival, auto-deletion, expiry flags)
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.4.6 De-identification and deletion | Defines what happens to PII when the retention period expires |
| A.1.4.9 Disposal | Provides the secure disposal methods used at the end of retention |
| A.1.4.7 Temporary files | Temporary files have their own short retention requirements |
| A.1.4.5 PII minimization objectives | Retention schedules implement the time dimension of minimisation objectives |
| A.1.2.2 Identify and document purpose | Retention periods are derived from documented processing purposes |
| A.1.3.3 Determining information for PII principals | Retention periods must be communicated to individuals |
What changed from ISO 27701:2019?
In the 2019 edition, retention was addressed under Clause 7.4.7 (retention). The 2025 control carries the same core requirement. The restructured Annex A/B format separates the control statement from the implementation guidance more clearly. The guidance now places greater emphasis on communicating retention periods to PII principals, reinforcing the link between retention management and transparency obligations. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for managing PII retention?
ISMS.online makes retention management practical, consistent and audit-ready:
- Retention schedule builder — Create formal retention schedules with categories, periods, trigger events, legal bases and disposal actions, all in a structured, searchable format
- Automated expiry alerts — Receive notifications when PII approaches or reaches its retention limit, reducing the risk of over-retention
- Review cycle management — Schedule periodic retention reviews with task assignments, completion tracking and documented outcomes
- Exception management — Document and track retention exceptions (legal holds, regulatory requirements) with approval workflows and time-limited extensions
- Privacy notice integration — Link retention periods to your privacy notices so that changes to retention schedules can be reflected in communications to PII principals
- Disposal chain — Connect retention schedules to disposal procedures under A.1.4.9 Disposal, creating an end-to-end lifecycle trail
FAQs
How do you determine the right retention period for each category of PII?
Start with the processing purpose: how long is the PII genuinely needed to fulfil that purpose? Then check for legal or regulatory retention requirements that may mandate a minimum period (e.g. tax records, employment records, financial records). The retention period should be the longer of the purpose-based period and the legal minimum, but no longer than that. Where no legal requirement exists, the purpose-based period alone should apply. Document the rationale for each retention period.
What triggers the start of a retention period?
The trigger depends on the processing context. Common triggers include: end of the customer relationship, completion of a transaction, expiry of a contract, termination of employment, last interaction with the individual or the date the PII was collected. The trigger should be clearly defined in the retention schedule so that the expiry date can be calculated without ambiguity.
Can retention periods differ for the same PII used for different purposes?
Yes. The same PII field may have different retention periods depending on the purpose. For example, a customer’s email address might be retained for 12 months after the end of the customer relationship for service follow-up, but for 6 years for financial record-keeping purposes. The longest applicable period governs when the PII can be deleted, but processing for each purpose should cease when that purpose’s retention period expires.
