A retention policy defines how long specific data types are stored and when they must be deleted or archived. It is derived from statutory retention obligations (e.g. commercial or tax law), contractual requirements, and the GDPR storage-limitation principle. For each data category you define a retention period and a deletion procedure. In an ISMS the retention policy is documented as a control and reviewed regularly for currency. Automated deletion workflows reduce the risk of data being stored longer than permitted.