Records management director
Compliance officer
Data governance manager
IT operations lead
Legal counsel
Privacy officer
This process is used on a periodic basis — typically annually or semi-annually — to review stored data against the organization’s retention schedule and determine appropriate disposition. It applies when retention periods vary by data type, regulatory jurisdiction, and business requirement, and when legal holds or preservation obligations must be checked before any data is deleted. It is common when records management, legal, compliance, IT, and business unit data custodians must coordinate to review, approve, and execute retention decisions. Ideal for financial services firms, healthcare organizations, legal practices, and any enterprise managing significant data volumes under regulatory retention requirements.
The data retention review process typically involves records management staff who administer the retention schedule and coordinate the review, legal counsel who identifies active litigation holds and preservation obligations, compliance officers who ensure retention decisions meet regulatory requirements, IT operations who execute archival and deletion actions, and business unit data custodians who confirm whether data has ongoing business need beyond the retention period.
Reduced data storage costs by identifying and disposing of data that has exceeded its retention period and has no ongoing legal or business need. Regulatory compliance through documented retention decisions that demonstrate adherence to applicable data retention and privacy requirements. Litigation hold compliance because every retention review checks for active holds before any data is approved for deletion. Clear disposition records documenting what was reviewed, what was retained, what was deleted, and the rationale for each decision. Reduced data breach risk by minimizing the volume of data stored beyond its required retention period.
Your version of this process may vary based on roles, systems, data, and approval paths. Moxo’s flow builder can be configured with AI agents, conditional branching, dynamic data references, and sophisticated logic to match how your organization runs this workflow. The steps below illustrate one example.
Retention review initiation and scope definition
The process begins when the retention review cycle is triggered, typically by the records management calendar. The scope of the review is defined by data type, system, business unit, or regulatory category. An AI Agent can assist by generating the review inventory from the records management system, identifying data that has reached or exceeded its retention period.
Litigation hold and preservation check
Before any disposition decisions are made, legal counsel reviews the data inventory against active litigation holds, regulatory investigations, and preservation obligations. Data subject to any hold is flagged and excluded from deletion regardless of the retention period. An AI Agent may cross-reference the data inventory against the active hold register.
Business unit review and confirmation
Business unit data custodians review the data in their area that has been identified as eligible for disposition. Custodians confirm whether the data has any ongoing business need that requires extended retention, or whether it can proceed to archival or deletion.
Disposition decision and approval
Based on the legal hold check and business unit review, the records management team recommends a disposition for each data set: retain, archive, or delete. Disposition decisions are reviewed and approved by the appropriate authority — records management, compliance, or legal depending on the data sensitivity and regulatory context.
Execution and verification
IT operations executes the approved disposition actions — archiving data to long-term storage or securely deleting data per organizational standards. Execution is verified to confirm that the actions were completed as approved.
Documentation and reporting
The complete retention review record is preserved, including the review scope, litigation hold check, business unit confirmations, disposition decisions, approvals, and execution verification. Retention review results are reported to compliance and governance leadership.
This process commonly relies on inputs such as the retention schedule, data inventory, litigation hold register, regulatory retention requirements, and business unit data custodian confirmations. It may be triggered by the periodic retention review calendar or a regulatory or legal event. Connected systems often include records management systems, data governance platforms like Collibra or Alation, legal hold management tools, and IT infrastructure for archival and deletion execution.
Key decision points include which data has exceeded its retention period and is eligible for disposition, whether any data subject to disposition is covered by an active litigation hold or preservation obligation, whether business units have ongoing needs that justify extended retention beyond the scheduled period, and whether disposition actions have been executed and verified as approved.
Retention reviews not conducted on schedule, allowing data to accumulate well beyond retention periods and increasing storage costs and risk. Litigation holds not checked before disposition, resulting in deletion of data subject to preservation obligations. Business units not engaged in the review, leading to disposition of data that has ongoing operational need or to indefinite retention of data that should be deleted. Disposition decisions not documented, making it impossible to demonstrate compliance with retention policy during an audit or regulatory inquiry. Deletion not verified, leaving data that was approved for deletion still present in systems.
Orchestrates the periodic data retention review across records management, legal, compliance, IT, and business units in a single coordinated flow that keeps every review on schedule.
AI Agents generate the review inventory from connected records management systems, identifying data that has reached its retention threshold.
Checks litigation holds within the workflow by cross-referencing the data inventory against the active hold register before any disposition decisions are made.
Engages business unit custodians within the workflow for confirmation of ongoing data needs, keeping responses tracked and documented.
Tracks disposition execution and verification within the workflow so IT actions are confirmed against the approved decisions.
Preserves the complete retention review record including scope, hold checks, custodian confirmations, disposition decisions, execution verification, and reporting for compliance and audit.
