RET-005 critical Legal Compliance

Legal retention requirements respected

Compliance requirements documented; legal hold mechanism prevents deletion of legally-required data; purge respects holds

Question to ask

"Could deleting data today violate a legal hold?"

Verification guide

Severity: Critical

Some data must be retained for legal, regulatory, or compliance reasons (GDPR, HIPAA, SOX, tax laws). The purge process must respect these requirements - certain records should not be deletable even after the normal retention period.

Check automatically:

  1. Look for legal hold flags in schema:
# Legal hold columns
grep -rE "legal_hold|legalHold|do_not_delete|doNotDelete|retention_required|retentionRequired|compliance_hold" --include="*.prisma" --include="*.ts" --include="*.sql" 2>/dev/null
  1. Look for retention policy documentation:
# Documentation mentioning retention/compliance
find . -type f \( -name "*.md" -o -name "*.txt" \) -exec grep -liE "retention|compliance|gdpr|hipaa|sox|legal.*hold|data.*retention" {} \; 2>/dev/null

# Specific policy files
ls -la docs/*retention* docs/*compliance* docs/*privacy* RETENTION* COMPLIANCE* 2>/dev/null
  1. Check for compliance-aware purge logic:
# Purge logic that checks legal holds
grep -rE "legal_hold|compliance|retention.*check|can.*delete|deletable" --include="*.ts" src/ 2>/dev/null

# Skip logic in cleanup jobs
grep -rE "skip.*legal|exclude.*hold|where.*legal_hold.*false" --include="*.ts" src/ 2>/dev/null
  1. Check for data retention configuration per type:
# Different retention periods for different data types
grep -rE "retention.*user|retention.*order|retention.*transaction|retention.*\{" --include="*.ts" --include="*.yml" 2>/dev/null

Ask user:

  • "What compliance requirements affect your data retention?" (GDPR, HIPAA, SOX, PCI-DSS, tax laws, industry-specific)
  • "Which data types have legally mandated retention periods?"
  • "Do you have a written data retention policy?"
  • "How do you handle legal holds (litigation, audits)?"

Common retention requirements (for reference):

  • Tax records: Often 7 years
  • Financial transactions: Varies by jurisdiction (5-10 years)
  • Healthcare (HIPAA): 6 years from creation or last effective date
  • SOX compliance: 7 years for audit records
  • GDPR: Minimize retention, delete when no longer necessary
  • Legal holds: Indefinite during litigation

Cross-reference with:

  • GDPR-001 (right to be forgotten - tension with retention requirements)
  • RET-004 (purge must check legal holds first)

Pass criteria:

  • Compliance requirements identified and documented
  • Legal hold mechanism exists (flag to prevent deletion)
  • Retention periods defined per data type where legally required
  • Purge process checks legal holds before deleting
  • Written retention policy exists

Fail criteria:

  • No awareness of compliance requirements
  • No mechanism to prevent deletion of legally-required data
  • Purge process ignores legal requirements
  • No documented retention policy

Evidence to capture:

  • Compliance requirements identified (GDPR, HIPAA, etc.)
  • Legal hold mechanism (schema column, flag, or process)
  • Retention periods per data type
  • Retention policy document location
  • How purge respects legal holds

Section

24. Data Retention

Data Management

← Previous

RET-004

Hard delete after review period

 Next →

IDS-001

Intrusion detection system evaluated/deployed