Docento.app Logo
Docento.app
Stacked academic books and papers
All Posts

Document Retention Policies: How Long to Keep Each PDF

BusinessArchival
May 7, 2026·7 min read

Every document has a useful life and a legal lifespan. Keep documents too short and you violate retention obligations; keep them too long and you create privacy, storage, and discovery risks. A document retention policy is the framework that defines how long each type of document is kept, when it is destroyed, and who is accountable. This guide walks through how to design one for a PDF-heavy organization.

Why retention matters

The pull in both directions:

Reasons to keep documents:

  • Legal requirements (tax records, employment records, regulatory filings)
  • Business needs (customer history, knowledge base, audit trail)
  • Litigation hold obligations
  • Reference value

Reasons to dispose of documents:

  • Privacy regulations (GDPR's storage limitation, similar in other jurisdictions)
  • Storage and processing costs
  • Litigation discovery exposure
  • Cybersecurity risk
  • Confusion from outdated information

A retention policy balances these.

What goes into a retention policy

A typical policy specifies:

  • Document categories, invoices, contracts, employment records, marketing materials, etc.
  • Retention period per category, 7 years, 3 years, indefinite, etc.
  • Trigger event, what starts the clock (creation, contract end, employee departure)
  • Disposal method, how the document is destroyed
  • Litigation hold process, what suspends retention
  • Exceptions and overrides
  • Roles and responsibilities
  • Audit and review cadence

Documented as a written policy, applied via systems.

Typical retention periods

These vary by jurisdiction but rough guidance:

Tax records. 7 years (US, many countries). Some jurisdictions longer.

Financial records. 7 years for transaction-level; longer for some structured records.

Employment records. Active employment + 7 years post-departure. Pension/retirement records often longer.

Contracts. Contract term + 6-10 years post-expiration (statute of limitations).

Medical records. Patient lifetime + several years; specific to jurisdiction. In the US, often 10+ years.

Educational records. Often permanent for transcripts; specific retention for other records.

Marketing materials. 2-3 years typical.

Internal correspondence. 2-7 years depending on content.

Audit reports. Often permanent or 10+ years.

Compliance-related documents. Per specific regulation.

Consult legal counsel for your specific jurisdictions and industries.

Trigger events

Retention starts from:

  • Document creation date, most common
  • Last modification, for evolving documents
  • Transaction close, for transactional records
  • Contract expiration, for contracts
  • Employee departure, for HR records
  • Project completion, for project documents
  • Regulatory event, for compliance records

The trigger determines when the retention clock starts; expiration is trigger + retention period.

Disposal methods

For digital documents:

  • Soft delete, moved to trash, recoverable for a period
  • Permanent delete, removed from active storage
  • Crypto-shredding, encryption keys destroyed, rendering data unrecoverable
  • Backup expiration, backup copies age out

For paper:

  • Shredding, cross-cut for sensitive content
  • Incineration, for highly sensitive
  • Bulk disposal, for low-sensitivity bulk records

Document the disposal in an audit log.

Litigation hold

Retention is suspended during litigation hold:

  • Notice of litigation triggers
  • Hold preserves documents that might be relevant
  • Communication to relevant employees about the hold
  • Specific identification of documents covered
  • End of hold when litigation resolves

A document on hold cannot be destroyed even if its normal retention period expired. Tools that manage this automate the override.

Implementation

A retention policy is only useful if implemented:

At the document management system level:

  • Set retention rules per document type
  • Automate scheduled disposal
  • Maintain immutable audit log
  • Support litigation hold

Tools with native retention:

  • M-Files
  • OpenText
  • SharePoint with retention labels (in Microsoft 365)
  • Box with retention policies
  • iManage

At the workflow level:

  • Apply retention metadata when documents are created
  • Reapply when document context changes
  • Surface upcoming disposal for review

At the user level:

  • Training on policy
  • Clear file naming conventions
  • Tagged storage locations

Categories specific to PDFs

PDFs in retention systems are typically categorized by content type, not file format. But the file format affects how retention is applied:

  • PDFs are easy to retain long-term, see PDF/A archival format explained and how to archive PDFs long-term
  • PDFs accumulate metadata that may need stripping over time
  • Signed PDFs have integrity guarantees that retention preserves
  • Encrypted PDFs may need re-encryption with rotating keys for long retention

For browser-based metadata stripping and other operations during retention review, Docento.app handles the common tasks.

Privacy and minimum retention

GDPR's storage limitation principle: keep no longer than necessary. This sometimes conflicts with "retain for 7 years for tax":

  • Tax law typically wins over GDPR for the tax records themselves
  • But unnecessary data in those records should still be minimized
  • Anonymization can sometimes preserve analytical value while satisfying privacy

See GDPR and PDF documents and how to anonymize PDF documents.

Audit and review

A retention policy needs maintenance:

  • Annual review, laws change; policies evolve
  • Quarterly audit of compliance
  • Spot checks of actual disposal vs policy
  • Reporting to management on retention metrics

Without these, policies drift from reality.

Common gotchas

Backup retention. "Deleted" documents may persist in backups. Backup retention often misaligned with primary retention. Reconcile.

Cloud and third-party storage. Documents in cloud services may have their own retention rules. Verify alignment.

Email and chat. PDFs sent via email or chat may live indefinitely in mail archives. Apply retention there too.

Personal copies. Employees may save PDFs to personal devices or accounts. Hard to enforce retention.

Migrated systems. When moving to a new DMS, retention metadata may not transfer cleanly. Audit post-migration.

Litigation hold blind spots. Some employees may not know about a hold. Train and document.

Over-retention. "Just in case" instinct keeps everything forever. Education matters.

Under-retention. Aggressive disposal destroys evidence later needed. Get legal input on minimums.

Jurisdictional differences. Multinational organizations face different retention requirements per country. Map carefully.

Industry-specific rules. Healthcare, financial services, defense each have specific retention obligations.

Specific industry retention

Healthcare. Patient records often 7-10 years post-treatment, longer for minors, sometimes permanent. State and federal rules apply. See HIPAA-compliant PDF handling.

Financial services. SEC, FINRA, FFIEC, and other regulators have specific rules. Often 5-7 years for trade records, longer for some.

Education. Student records (FERPA) have specific retention. Transcripts often permanent.

Government. Records retention is often permanent or very long; archived in national archives.

Energy and utilities. Asset records, safety records, environmental records often long-term or permanent.

Manufacturing. Product records may need to be retained for product liability statute of limitations.

Practical recipe: building a policy

For an organization without a current policy:

  1. Inventory document types
  2. Research legal retention requirements per type and jurisdiction
  3. Consult counsel for unique categories
  4. Draft policy specifying period, trigger, disposal method per category
  5. Get approval from legal, compliance, IT, business
  6. Configure DMS to enforce
  7. Train workforce on policy
  8. Audit quarterly
  9. Review and update annually

Initial development takes 3-6 months; ongoing maintenance is lighter.

Specific PDF retention guidance

For typical PDF categories:

  • Invoices (received): 7 years (US tax requirement)
  • Contracts: Term + 6-10 years post-expiration
  • Employment offer letters: Active employment + 7 years
  • Performance reviews: Active + several years
  • Customer-facing receipts: 7 years if used for tax
  • Marketing PDFs: 2-3 years
  • Internal policy documents: Per version + several years
  • Project documents: Project completion + 5-10 years
  • Audit reports: Often permanent
  • Board minutes: Often permanent

These are starting points; adjust per your jurisdiction and industry.

Takeaway

Document retention policies balance legal obligation, business need, and privacy/cybersecurity risk. The policy is only useful if implemented in your document management system and followed by your workforce. PDFs are particularly suited to long retention via PDF/A, but their metadata and signatures need ongoing attention. For browser-based PDF operations during retention review, Docento.app handles common tasks. For related topics, see PDF/A archival format explained, how to archive PDFs long-term, and GDPR and PDF documents.

Related Posts

File folders in an archive

How to Archive PDFs Long-Term

May 13, 2026

Stack of paper documents

OAIS Model for Document Preservation: A Framework Worth Knowing

May 13, 2026

Clean workspace with laptop and notebook

ZIP vs 7z for Document Archives: Speed, Size, and Compatibility

May 10, 2026