Event scope
SCOPEName the decisions, approvals, tool calls, data access events, configuration changes, and administrative actions covered by the policy.
Policy template / v1.1
A working policy template for event scope, retention periods, legal holds, integrity checks, access control, verified deletion, and evidence exports.
General information and a drafting aid. Legal, privacy, and records-management review remains required.
Control record / retention
Retention register
Sample entries
* Illustrative period. Replace it with a documented requirement and approved purpose.
Integrity / access / disposal / export
Regulatory baseline
The template separates the minimum baseline from the longer periods that may come from sector rules, contracts, disputes, or an approved operational purpose.
EU AI Act
Articles 19(1) and 26(6)
Providers and deployers keep automatically generated logs under their control for a period appropriate to the system’s intended purpose, with a minimum of six months unless applicable Union or national law provides otherwise.
GDPR
Article 5(1)(e)
Personal data remains identifiable only for as long as the processing purpose requires. The schedule should document necessity, minimization, deletion, and any valid exception.
Your context
Sector / country / contract
Sector rules, national law, contractual commitments, investigations, and legal holds can change the applicable period. The retention register captures the exact source, owner, trigger, and review date for each decision.
Seven years appears only as an editable example. Every selected period needs a documented legal, regulatory, contractual, or operational basis.
Policy coverage
Each section closes a gap that reviewers commonly find between a written retention statement and the systems expected to enforce it.
Name the decisions, approvals, tool calls, data access events, configuration changes, and administrative actions covered by the policy.
Define when each period starts: event time, case closure, incident closure, contract end, or release of a legal hold.
Record the selected period beside its legal, regulatory, contractual, or approved operational basis.
Specify who can suspend deletion, how the affected scope is identified, and what releases the hold.
Define the deletion method, approval path, retry behavior, and the evidence produced after disposal.
Document append-only storage, integrity checks, access controls, export contents, and independent verification steps.
Working register
This example shows the level of specificity the downloadable template asks for. Replace every sample period and basis with your approved requirements.
| Event class | Clock starts | Period | Basis | Disposal evidence |
|---|---|---|---|---|
| High-risk AI system logs | Event recorded | At least 6 months | EU AI Act Articles 19(1) and 26(6) | Deletion run and exception report |
| Decisions and approvals | Decision closed | 7 years - example | Named sectoral, contractual, or internal requirement | Approved deletion report |
| Tool calls and data access | Process run closed | 24 months - example | Incident analysis and accountability purpose | Deletion manifest |
| Operational telemetry | Metric captured | 90 days - example | Service operations purpose | Scheduled job report |
| Records under legal hold | Hold issued | Until release | Approved hold notice | Release approval and disposal report |
Illustrative schedule only. The six-month entry reflects the EU AI Act baseline for relevant high-risk AI system logs. Other periods require context-specific review.
Inside the file
Sixteen policy sections, a starter retention register, a control test record, and approval fields. The file stays readable in source control and exports cleanly into your document system.
## 5) Retention register
| Event class | Clock starts | Period | Basis |
| --- | --- | --- | --- |
| Decision records | Decision closed | [period] | [source] |
| Tool calls | Process run closed | [period] | [purpose] |
For each row, record:
- System owner and data owner
- Personal data fields and minimization controls
- Legal hold behavior
- Deletion method and verification record
- Review date and approving roles
## 10) Legal holds
- Hold authority: [role]
- Scope identification method: [query / case IDs]
- Release approval: [roles]
- Evidence retained: [notice / actions / release / disposal]Implementation
A signed document establishes the decision. A tested hold, deletion, and export shows that the control operates as written.
Inventory systems, event classes, data fields, owners, storage locations, and downstream copies. Identify which records contain personal or sensitive data.
Set the retention trigger and period for each class. Attach the exact source or approved purpose, then route privacy, legal, security, and system-owner review.
Implement deletion schedules, legal holds, access boundaries, integrity verification, failure alerts, and vendor obligations.
Run a sample hold, release, deletion, and export. Retain the approvals, job reports, exception records, manifest, checksums, and verification result.
KLA evidence flow
KLA connects the approved retention decision to runtime records, control checks, and a verifiable export for reviewers.
Version, owner, scope, schedule, and exceptions
Access, hold, deletion, and export actions
Integrity checks, failed jobs, and remediation
Manifest, checksums, records, and verification result
Questions
Use these answers to frame the first review with legal, privacy, security, records management, and system owners.
For relevant high-risk AI systems, EU AI Act Articles 19(1) and 26(6) set a minimum of six months for automatically generated logs under the provider or deployer’s control, unless applicable Union or national law provides otherwise. Your final period must also account for privacy, sector, national, contractual, and legal hold requirements.
That unauthorized changes are detectable. Common approaches include append-only storage, hash chaining, and periodic integrity verification with retained reports.
Keep enough context to explain the decision and verify the control. Apply data minimization, redaction, hashing, or controlled references where full content would create unnecessary privacy or security risk.
Define a retention override that prevents deletion for specified scopes, and ensure all hold actions are logged and approved.
A scoped bundle of relevant records, the approved policy and configuration, a manifest, checksums, access and export history, and clear instructions for independent integrity verification.
Seven years is an editable example in this template. Use it only when a documented legal, regulatory, contractual, or approved operational basis supports that period.
Continue the dossier
These companion resources cover export contents, execution evidence, and the human decisions that sit beside the retention schedule.
Editable policy / v1.1
Download the complete Markdown template, assign the owners, and review the first schedule against your actual systems and obligations.