What is a retention schedule and who enforces it?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A retention schedule is a document that spells out how long different categories of data should be kept before deletion or anonymization. It's the operational heart of your data retention policy: where the policy says "we keep things as long as necessary," the schedule says "subscriber data: 3 years after last interaction. Consent records: 6 years. Suppression records: indefinitely."

For email marketing, a basic retention schedule might cover:

  • Active subscriber data: kept while subscribed and actively engaging
  • Inactive subscriber data: a sunset policy kicks in after X months of no opens/clicks
  • Consent records: kept for the relationship period plus 3-6 years post-unsubscribe for legal defense
  • Suppression records: kept indefinitely or for the statute of limitations in relevant jurisdictions
  • Campaign analytics: often kept longer if anonymized, shorter if tied to identifiable individuals

Who enforces it? Internally, no one will if you don't assign it. Most organizations designate a data protection officer (required under GDPR for certain organizations), a privacy officer, or at minimum a specific team that's accountable. The schedule only works if someone is running the deletion or archiving processes on the defined timescales. whether that's automated deletion rules in your ESP, a quarterly data audit, or a CRM cleanup script.

Externally, enforcement is by regulators. Data Protection Authorities under GDPR, CRTC under CASL, FTC under CAN-SPAM. They don't audit your retention schedule proactively, but if a complaint or investigation surfaces, your schedule (and evidence that you followed it) will be asked for.

For what to include in the policy behind the schedule, see why you need a retention policy. For the specific periods for consent records, see how long to keep consent evidence.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me build a data retention schedule

I want to create a retention schedule for my email program's data. I send to regions. My data categories include [subscriber data, consent records, campaign analytics, suppression lists]. Help me figure out the right retention period for each and who should be responsible for enforcement.

Edit the yellow boxes, then send to the AI of your choice.