← Back to principles
Data
Data lifecycle management.
Statement
Data should be managed deliberately from creation through to archival and deletion
What this means in practice
Every data set has a defined lifecycle that governs how it moves from creation through active use, archival, and eventual deletion. Retention policies are explicit and aligned with legal, regulatory, and contractual obligations. Not all data needs to reside in high-performance storage indefinitely; lifecycle rules determine when data is tiered to cheaper storage, archived, or purged. These decisions are made intentionally, not left to accumulation by default.
Why this matters
Unmanaged data growth increases storage costs, expands the attack surface, and complicates compliance. Retaining data beyond its useful life or regulatory requirement creates unnecessary risk. Conversely, premature deletion can breach legal obligations or destroy business value. Deliberate lifecycle management balances performance, risk, and cost whilst ensuring the organisation meets its obligations.
Practices that meet this principle
Define retention policies for each data set based on business need, legal requirements, and regulatory obligations
Implement automated tiering or archival processes that move data to appropriate storage as it ages
Schedule and automate data purging in line with retention policies
Maintain a register of retention rules that is reviewed periodically alongside legal and compliance teams
Include lifecycle considerations in solution design and architecture reviews
Monitor storage consumption and flag data sets that have exceeded their defined retention period
Validation
A project meets this principle when:
Retention policies are documented for every data set with clear timelines and rationale
Automated processes exist for archival and deletion in line with those policies
OR:
No data set exists without a defined lifecycle plan