← Back to principles

Data

Data lifecycle management.

Statement

Data should be managed deliberately from creation through to archival and deletion

What this means in practice

Every data set has a defined lifecycle that governs how it moves from creation through active use, archival, and eventual deletion. Retention policies are explicit and aligned with legal, regulatory, and contractual obligations. Not all data needs to reside in high-performance storage indefinitely; lifecycle rules determine when data is tiered to cheaper storage, archived, or purged. These decisions are made intentionally, not left to accumulation by default.

Why this matters

Unmanaged data growth increases storage costs, expands the attack surface, and complicates compliance. Retaining data beyond its useful life or regulatory requirement creates unnecessary risk. Conversely, premature deletion can breach legal obligations or destroy business value. Deliberate lifecycle management balances performance, risk, and cost whilst ensuring the organisation meets its obligations.

Practices that meet this principle

  • Define retention policies for each data set based on business need, legal requirements, and regulatory obligations

  • Implement automated tiering or archival processes that move data to appropriate storage as it ages

  • Schedule and automate data purging in line with retention policies

  • Maintain a register of retention rules that is reviewed periodically alongside legal and compliance teams

  • Include lifecycle considerations in solution design and architecture reviews

  • Monitor storage consumption and flag data sets that have exceeded their defined retention period

Validation

A project meets this principle when:

  • Retention policies are documented for every data set with clear timelines and rationale

  • Automated processes exist for archival and deletion in line with those policies

  • OR:

  • No data set exists without a defined lifecycle plan