ElyForma

Data Retention Policy Guide

Data Retention Policy Guide South Africa

A data retention policy is a document that explains how long an organisation keeps personal information, business records, employee records, customer data, website data, and other information before it is deleted, destroyed, archived, or de-identified. In South Africa, this is closely linked to POPIA, because section 14 says records of personal information must not be kept longer than necessary for the purpose for which they were collected or later processed, unless a lawful exception applies. :contentReference[oaicite:0]{index=0}

This guide explains what a data retention policy is, when to use one in South Africa, what POPIA requires, and what a practical South African retention policy should usually cover.

What is a data retention policy?

A data retention policy is an internal or public-facing governance document that sets rules for how long different categories of information are kept and what happens to those records when the retention period ends.

A good South African data retention policy usually covers:

  • what categories of data the organisation holds
  • why the data is held
  • how long each category is kept
  • what legal or contractual rule justifies retention
  • who is responsible for retention decisions
  • when data must be deleted, destroyed, restricted, or de-identified
  • how archived or backup data is handled

The policy should not just say “we keep data as long as necessary.” It should set real operational rules.

Why a data retention policy matters in South Africa

A data retention policy matters because POPIA does not allow organisations to keep personal information indefinitely just because it might be useful later. Section 14 of POPIA says records of personal information must not be retained any longer than necessary for the purpose for which the information was collected or later processed, unless one of the listed exceptions applies. :contentReference[oaicite:1]{index=1}

Those exceptions include situations where retention is:

  • required or authorised by law
  • reasonably required for a lawful purpose related to the organisation’s functions or activities
  • required by a contract
  • consented to by the data subject or a competent person where the data subject is a child :contentReference[oaicite:2]{index=2}

A retention policy helps a South African business or organisation show that it is managing records deliberately instead of keeping everything forever without a lawful reason.

POPIA and retention of records

Section 14 of POPIA is the main retention rule. It says personal information must not be kept longer than necessary unless one of the legal exceptions applies. It also says that once the organisation is no longer authorised to keep the record, it must destroy or delete it, or de-identify it, as soon as reasonably practicable. :contentReference[oaicite:3]{index=3}

That means a South African data retention policy should usually deal with two separate questions:

1. Why are we still allowed to keep this data?

The organisation must have a lawful reason for continued retention.

2. What do we do when that reason ends?

The data should then be deleted, destroyed, or de-identified as soon as reasonably practicable. :contentReference[oaicite:4]{index=4}

When to use a data retention policy

A South African data retention policy is useful for almost any organisation that processes personal information, including:

  • companies
  • ecommerce businesses
  • SaaS platforms
  • schools
  • nonprofits
  • healthcare-adjacent businesses
  • employers
  • recruitment firms
  • agencies
  • financial service providers
  • professional practices

It is especially important where the organisation holds:

  • employee records
  • customer records
  • ID numbers
  • financial data
  • marketing databases
  • website analytics data
  • support tickets
  • contracts
  • compliance records
  • special personal information

When not to rely on a generic policy

A generic retention policy is usually not enough if:

  • the organisation is in a regulated sector with specific retention laws
  • different laws require different minimum retention periods
  • the business has cross-border data flows
  • the organisation processes children’s data or special personal information
  • the policy does not match actual systems and practices
  • the business has never mapped what records it really keeps

In those cases, a more detailed South African retention schedule is usually needed.

What POPIA allows you to retain for longer

POPIA does not force immediate deletion of all information once a transaction ends. Section 14 allows continued retention where:

  • another law requires or authorises retention
  • the organisation reasonably needs the record for a lawful purpose related to its activities
  • a contract requires retention
  • the data subject has consented
  • the record is kept for historical, statistical, or research purposes with appropriate safeguards against use for other purposes :contentReference[oaicite:5]{index=5}

This is one reason a South African data retention policy should not use one single retention period for everything. Different datasets may have different legal and operational reasons for being kept.

Destruction, deletion, and de-identification

POPIA section 14 also says that once the organisation is no longer authorised to retain the information, it must destroy or delete the record, or de-identify it, as soon as reasonably practicable. The Information Regulator’s procedures document repeats this point directly. :contentReference[oaicite:6]{index=6}

That means a retention policy should explain:

  • when deletion happens
  • when secure destruction happens
  • when de-identification may be used instead
  • who approves disposal
  • how disposal is recorded

A strong policy does not only state retention periods. It also explains end-of-life handling of the data.

Key sections in a South African data retention policy

A practical South African data retention policy should usually include the following.

Purpose of the policy

Explain that the policy exists to support lawful retention, POPIA compliance, operational discipline, and proper disposal of records.

Scope

State which records and systems the policy applies to, such as digital records, hard copy files, archived records, backups, HR records, customer records, and website data.

Roles and responsibilities

Identify who is responsible for retention decisions, such as the Information Officer, privacy lead, management, HR, finance, or IT.

The Information Regulator states that public and private bodies are required to register their Information Officers under section 55 of POPIA. :contentReference[oaicite:7]{index=7}

Retention rules by category

This is the most useful part of the policy. It should list the categories of records and how long each is retained.

Examples may include:

  • employee records
  • recruitment records
  • payroll records
  • contracts
  • invoices and tax records
  • customer account records
  • marketing data
  • support tickets
  • complaints
  • CCTV footage
  • website analytics data
  • consent records

Legal and contractual basis

Where applicable, explain whether the retention is required by law, contract, legitimate operational need, or consent.

Disposal process

State how records are deleted, destroyed, or de-identified when retention ends.

Exceptions and litigation holds

Explain what happens if records must be kept longer because of disputes, investigations, audits, litigation, or regulatory review.

Examples of South African retention categories

A South African organisation may keep different types of records for different reasons. For example:

  • HR and payroll records may need to be kept because of labour, tax, or payroll rules
  • tax and accounting records may need to be kept because of tax law
  • contract records may need to be kept for contractual and dispute purposes
  • customer support records may only need short or medium-term retention
  • marketing consent records may need to be kept to prove permission or objection handling
  • archived analytics or website logs may need different handling from active customer data

The exact periods depend on the laws and business context that apply, so the policy should be tailored instead of copied blindly.

Data subject requests and deletion

POPIA section 24 allows a data subject to request correction, deletion, or destruction of certain personal information in some circumstances, including where the responsible party is no longer authorised to retain it in terms of section 14. POPIA also says the responsible party must respond as soon as reasonably practicable. :contentReference[oaicite:8]{index=8}

That means a South African retention policy should fit together with the organisation’s process for handling data subject requests, not operate separately from it.

Common mistakes

Common South African data retention mistakes include:

  • keeping personal information indefinitely “just in case”
  • using one retention rule for all categories of data
  • failing to identify the legal reason for extended retention
  • having no deletion or destruction process
  • keeping backups forever without review
  • not recording consent where retention relies on consent
  • failing to align HR, finance, IT, and legal retention practices
  • having a privacy policy that promises deletion but no real internal process
  • not assigning ownership of the retention programme
  • forgetting that POPIA requires deletion, destruction, or de-identification once retention is no longer authorised :contentReference[oaicite:9]{index=9}

Practical questions before drafting a retention policy

Before creating a South African data retention policy, ask:

  • What personal information do we actually hold?
  • Why do we still need each category?
  • Is there a law or contract requiring retention?
  • Are we relying on consent anywhere?
  • Who approves deletion or destruction?
  • What happens to archived, legacy, and backup data?
  • How will we handle data subject deletion requests?
  • Has our Information Officer been designated and registered where required? :contentReference[oaicite:10]{index=10}

Example of when this guide is useful

This guide is useful for:

  • a South African company building a POPIA compliance programme
  • an employer reviewing HR record retention
  • an ecommerce business deciding how long to keep customer records
  • a SaaS company creating a deletion and archiving framework
  • an organisation updating its privacy, consent, and record-management documents

FAQ

What is a data retention policy in South Africa?

It is a policy that sets rules for how long different categories of personal information and records are kept and when they must be deleted, destroyed, or de-identified.

What does POPIA say about retention?

POPIA section 14 says personal information must not be kept longer than necessary for the purpose for which it was collected or later processed, unless a listed exception applies. :contentReference[oaicite:11]{index=11}

When can a South African business keep data longer?

POPIA allows longer retention where it is required or authorised by law, reasonably required for a lawful purpose, required by contract, consented to, or retained for historical, statistical, or research purposes with safeguards. :contentReference[oaicite:12]{index=12}

What must happen when retention is no longer allowed?

The organisation must destroy or delete the record, or de-identify it, as soon as reasonably practicable. :contentReference[oaicite:13]{index=13}

Does a data retention policy have to be public?

Not always. Many retention policies are internal governance documents, although parts of the organisation’s retention approach may also be described in a privacy policy.

Does POPIA require an Information Officer?

Yes. The Information Regulator states that public and private bodies are required to register their Information Officers under section 55 of POPIA. :contentReference[oaicite:14]{index=14}

Related guides

You may also want to read:

  • Privacy Policy Template
  • Cookie Policy Guide
  • Data Processing Consent Form Guide
  • GDPR Data Processing Agreement
  • Confidentiality Agreement Guide
  • Terms and Conditions Template
  • Consent Form
  • Service Agreement

A strong South African data retention policy should identify what data is held, state why it is still being kept, set category-based retention rules, and provide a real process for deletion, destruction, or de-identification once retention is no longer justified.