data-retention-policy
GitHub构建基于法律依据的数据保留与删除计划。用于创建保留策略、设定保留期、规划数据最小化或删除,回答数据留存时长问题。输出包含类别、期限、依据及删除触发机制的表格,并标记无依据或无期限的风险项。
触发场景
安装
npx skills add mohitagw15856/pm-claude-skills --skill data-retention-policy -g -y
SKILL.md
Frontmatter
{
"name": "data-retention-policy",
"description": "Build a data retention and deletion schedule grounded in legal basis. Use when asked to create a data retention policy, set retention periods, plan data deletion\/minimisation, or answer 'how long can we keep this data?'. Produces a retention schedule — data categories with their retention period, legal\/business basis, deletion trigger and method, plus flags for data kept with no basis or no defined period."
}
Data Retention Policy Skill
"Keep everything forever" is a liability, not a strategy — it grows breach exposure, violates data- minimisation rules (GDPR, CCPA), and turns every data subject request into an archaeology project. This skill builds a retention schedule that ties each data category to how long you keep it and why (legal basis), with a concrete deletion trigger — so retention is a defensible policy, not an accident.
Required Inputs
Ask for these only if they aren't already provided:
- Data categories — the kinds of data you hold (customer records, logs, financial, HR, marketing, backups).
- Legal/regulatory drivers — anything mandating minimum retention (tax/financial records, employment law) or maximum (GDPR minimisation, sector rules).
- Business need — why each category is genuinely needed and for how long.
- Where it lives — systems and backups (backups are the most-forgotten place data outlives its policy).
Output Format
Data Retention Schedule: [organisation]
1. Schedule — the core table, one row per data category:
| Data category | Retention period | Basis (legal/business) | Deletion trigger | Method | System(s) |
|---|---|---|---|---|---|
| Customer PII | 3y after account closure | Legitimate interest + GDPR minimisation | Account closed + 3y | Hard delete | App DB, backups |
| Financial records | 7y | Tax law (statutory minimum) | End of fiscal year + 7y | Archive then delete | Finance system |
2. Principles — the policy stance: minimise by default, the shortest period that satisfies the basis, and that retention applies to backups and logs too.
3. Deletion mechanics — how deletion actually happens (automated job vs. manual), how it cascades to backups, and how it's evidenced.
4. Flags — categories with no defined period or no legal/business basis (these are the risk — data you can't justify keeping).
Programmatic Helper
scripts/retention_schedule.py (stdlib only) validates a schedule and flags categories missing a
period or a basis, and (given a closure/event date) computes the earliest deletion date:
# data.json: [{"category":"Customer PII","retention_months":36,"basis":"GDPR minimisation","event_date":"2024-01-15"}, ...]
python3 scripts/retention_schedule.py data.json
python3 scripts/retention_schedule.py data.json --json
Quality Checks
- Every category has both a retention period and a documented basis
- Periods default to the shortest that satisfies the legal/business need (minimisation), not "indefinite"
- Backups and logs are covered, not just the primary store
- Each category has a concrete deletion trigger and method, not just a duration
- Statutory minimums (tax, employment) and maximums (minimisation) are both respected
Anti-Patterns
- Do not set retention to "indefinite" or leave it blank — undefined retention is the highest-risk, least-defensible state
- Do not forget backups — data deleted from production that lives on in backups is still data you hold
- Do not keep data with no legal or business basis — if you can't justify it, deleting it lowers risk for free
- Do not set a blanket period for all data — tax records and marketing emails have very different drivers
- Do not present statutory periods as advice — flag where legal/compliance must confirm the minimums
Based On
Data-minimisation practice — GDPR Art. 5(1)(e) storage limitation, sector retention statutes, and defensible-deletion principles.
版本历史
- a38bc30 当前 2026-07-05 11:12


