A data retention policy is the documented set of rules that defines how long an organisation keeps each category of personal data and what happens at the end — deletion, anonymisation, or archival. It's how organisations meet the GDPR Article 5(1)(e) storage limitation principle: personal data can't be kept longer than necessary for the purpose. A working policy covers categories separately: customer records, employee data, financial records tied to tax law, marketing data, and consent logs (CNIL benchmarks ~5–6 years for proof of consent). The common failure isn't writing the policy — it's enforcing it across legacy systems, backups, and third-party processors.