HIPAA requires 6 years. SOX requires 7 years. PCI DSS requires 12 months with 3 months immediately available. GDPR does not prescribe a fixed period.
Retention Summary
| Regulation | Minimum Retention | Immediately Available |
|---|---|---|
| HIPAA | 6 years | Not specified |
| SOX | 7 years | Not specified |
| PCI DSS | 12 months | 3 months |
| GDPR | Organization-defined | Not specified |
Penalties for Non-Compliance
- HIPAA: Annual caps exceeding $2M per violation category
- PCI DSS: $5,000-$100,000/month from payment brands
- SOX: Up to $5M fine and 20 years imprisonment for willful record destruction
- GDPR: Up to 4% of global annual turnover or EUR 20 million
Building a Single Policy
For organizations under multiple frameworks, adopt the most conservative requirement. For HIPAA + SOX organizations: 7 years as the floor. Implement immutable log storage with 3 months instantly queryable for PCI DSS compliance.
Originally published at claudiasop.com
Top comments (0)