Data Retention Policy in Nigeria for DMS Governance
Most DMS projects in Nigerian organisations follow a predictable sequence: a platform is selected, files are migrated, permissions are configured, and the system goes live. The retention policy rarely features in that early conversation. It surfaces later, usually during an audit, a legal dispute, or a storage cost review. By then, the DMS will already be carrying records for which nobody has a plan.
A retention policy is not governance documentation you produce after a DMS is running. It is part of the specification against which the system is built.
What a Data Retention Policy Is and What It Governs
A data retention policy is a formal document that specifies what records an organisation must keep, for how long, in what format, and what happens when the retention period ends. It is distinct from two documents that organisations sometimes conflate with it.
A privacy policy governs how personal data is collected, used, and disclosed. A document management policy governs how documents are handled day-to-day: naming conventions, version control, and access permissions. A retention policy governs the lifecycle of records from creation through to controlled disposal. That is a different function entirely.
Not every document becomes a formal record, and not every record carries the same retention obligations. A working draft is not the same as a signed contract; an internal email thread is not the same as a board resolution.
That distinction matters because retention governance is driven by records management requirements, not by the volume of files an organisation produces. The boundary between records and documents, and why it shapes how a DMS must be structured, is covered in our article on records management vs document management.
The retention policy sets the rules. The DMS enforces them. Neither functions properly without the other. The components, benefits, and use cases of a document management system are outlined in our article on what an EDMS is.
Retention Policy vs Backup: Why They Are Not the Same
One of the most common misconceptions in DMS planning is the assumption that backup systems and retention policies serve the same function. They do not.
A backup exists for disaster recovery and business continuity. It preserves what existed at a point in time so that operations can be restored after a system failure, ransomware attack, or accidental deletion.
A retention policy governs the lifecycle and legal status of records: what should exist, for how long, and what the organisation must be able to prove about how those records were managed.
Backups do not classify records, enforce disposal schedules, or suspend deletion during a legal hold. Assuming that one substitutes for the other is a governance gap that auditors regularly find.
Why Retention Policy Belongs at the Start of a DMS Project, Not the End
Every configuration decision a DMS requires (metadata categories, archive triggers, disposal workflows, legal hold handling) depends on what the retention policy says.
What the Policy Defines for the System
The retention policy defines which metadata categories the system requires, which archive triggers and disposal workflows must be configured, and how legal holds should be handled.
Without those inputs, a DMS has no basis for making any of these decisions automatically, and manual discipline is not a substitute.
Configuring a DMS without this foundation means rebuilding decisions later, once documents have been migrated without classification rules, metadata has been applied inconsistently, and records have accumulated for years without a disposal plan.
Why Migration Makes This Even More Critical
The policy matters most at migration. Before a single document moves into a new DMS, the organisation needs retention-based answers to practical questions: what carries over into the active repository, what goes directly to archive, what should be disposed of before migration begins, and how legacy folders are reclassified against the new taxonomy.
Without those answers, migration merely pushes the problem into a new system.
How these decisions fit into a broader implementation strategy is examined in our guide to document management implementation in Nigeria. For organisations working through paper-based records, our article on document conversion in Nigeria addresses why governance must precede the scanning programme.
What a Data Retention Policy Covers
The Retention Schedule
The retention schedule is the working core of a retention policy. It maps each document category to a minimum retention period, a trigger point, and a prescribed end-of-life action. Without a schedule, the policy is a set of principles with no operational teeth.
Typical document categories and their parameters:
| Document Category | Retention Period | Action at Expiry |
|---|---|---|
| Financial records and invoices | 6 years from end of assessment year | Secure disposal |
| Company accounting records | 6 years from date records were made | Secure disposal |
| Employment and payroll records | 6 years from date of employee exit | Secure disposal |
| Contracts and agreements | 6 years from contract expiry date | Review, then disposal |
| Regulatory correspondence | 5–7 years from date of correspondence | Archive or disposal |
| Project documentation | 5 years from project close date | Archive or disposal |
| General business communications | 2–3 years from date of creation | Disposal |
Periods shown reflect current regulatory requirements as a general reference. Verify against applicable sector obligations and take legal advice before treating these as compliance benchmarks for your organisation.
Retention Triggers
Retention clocks do not all start from the date a document was created. This is among the most operationally important details in a retention policy, and among the most frequently overlooked.
A contract is typically retained from its expiry date, not from when it was signed. Employee HR records are retained from the date of departure. Project files are retained from project close. Financial records are retained from the end of the relevant financial year.
Getting triggers right prevents two distinct failure modes: over-retention of records that have long since passed their legitimate lifecycle, and premature disposal of records still within their required retention window.
End-of-Life Actions and Defensible Disposal
When a retention period ends, there are three possible actions: move to long-term archive, trigger a review decision before disposal, or delete automatically. The policy must specify which applies to each document category and who has the authority to approve disposal when a review decision is required.
Disposal itself must be documented and auditable. The organisation needs to demonstrate that disposal took place in accordance with its own governance rules: not arbitrarily or accidentally, but as a controlled, recorded action. That matters in any audit, and more acutely when the organisation is under active regulatory scrutiny.
Legal Holds
When litigation, a regulatory investigation, or an audit is active, normal retention rules are suspended for the records involved. Documents that would otherwise be eligible for disposal must be preserved until the hold is lifted.
The retention policy needs to define how holds are invoked, who authorises them, which records they cover, and how they are released once the triggering event concludes.
A DMS that cannot suspend disposal rules during a legal hold creates evidentiary risk. Records that should be preserved may be deleted by an automated process that does not know a hold is in place. This provision needs to be designed into the policy before it is ever needed.
Ownership and Accountability
A retention policy without assigned ownership is a document that nobody enforces. The policy should specify who owns it at the organisational level, typically a legal, compliance, or records management function. It should define IT and DMS administrator responsibilities for system-level enforcement, and identify which business units carry day-to-day classification responsibilities.
Disposal authority is a separate question. Who can approve the deletion of records requiring a review decision? Who escalates disputes about classification? These are governance decisions, not IT decisions, and the policy needs to make that clear.
The Regulatory Context Your Policy Must Reflect
In practice, retention periods for Nigerian organisations are shaped by overlapping obligations rather than a single law.
Sector-Specific Minimum Retention Floors
NRS: Tax records, invoices, and supporting financial documentation: six years minimum from the end of the relevant assessment year, under Section 63 of CITA.
CAMA 2020: Company accounting records, reports, minutes, financial statements, and balance sheets: six years, under Section 864.
CBN / MLPA 2022: Customer due diligence records and transaction documentation: five years minimum under the Money Laundering (Prevention and Prohibition) Act 2022.
PENCOM: Pension and retirement fund records: defined minimum periods for licensed pension fund administrators.
NDPA 2023: Personal data not covered by sector-specific mandates should be retained only as long as the processing purpose justifies it. The Act’s storage limitation and data minimisation principles apply broadly to any personal data the organisation holds.
Where NDPA and Sector Requirements Diverge
Retaining personal data beyond what is operationally or legally justifiable may expose the organisation to NDPA liability. Disposing of records before a sector minimum period expires creates regulatory and audit exposure.
A retention policy that does not address both sides of that tension is structurally incomplete. Navigating that tension requires deliberate policy decisions, not defaults.
The governance implications of NDPA’s storage limitation requirements and how they interact with document lifecycle management are examined in our article on document lifecycle governance.
What the Absence of a Retention Policy Does to a DMS
Without a retention policy, a DMS does not fail visibly. It fails gradually, in ways that only become apparent under pressure.
Documents accumulate indefinitely because there is no rule for moving or removing them. Search results become less reliable as the volume of undifferentiated content grows.
Staff begin creating personal copies of critical files on local drives, not out of carelessness, but because they do not trust that the central system will retain what they need when they need it. That behaviour is a governance signal, not a training problem.
Audit requests surface records that should have been disposed of years ago, raising questions that the organisation cannot easily answer. The same requests fail to surface records that are legally required to exist because no minimum retention was defined, and the records were never managed consistently.
Multiple outdated versions of the same contract begin circulating across departments because there is no archival or disposal structure in place. Nobody is certain which version is current, and the system holds no authoritative answer.
A data breach, when it happens, is materially worse when personal data that should have been deleted under the NDPA’s storage limitation principle was never removed. There is more data than necessary, which means more is exposed.
The governance and implementation failures behind these outcomes are examined in our article on why EDMS implementations fail.
How SharePoint and Zoho WorkDrive Handle Retention
Cloud storage does not transfer retention responsibility from the organisation to the platform. Whether documents are hosted on Microsoft’s or Zoho’s infrastructure, the organisation remains accountable for defining its retention policy and ensuring the platform enforces it.
The two leading platforms in Nigerian DMS deployments approach enforcement differently.
SharePoint and Microsoft Purview
SharePoint retention is managed through Microsoft Purview, which operates at two levels. Retention policies are applied at the container level (site collections, document libraries, Exchange mailboxes) and apply uniformly to everything stored in that location. Retention labels are applied at the item level, either manually by users or automatically through content-based classification rules.
The distinction matters because not all documents in a single library carry the same retention requirements. Purview’s item-level labelling provides document-by-document precision that container-level policies cannot.
Purview also supports preservation locks, which prevent a retention policy from being modified or deleted after it is applied. This is relevant for organisations with regulatory obligations that require demonstrable, tamper-proof retention enforcement.
Legal holds are managed through eDiscovery, which freezes specific records independently of their normal retention lifecycle and maintains audit trails recording who accessed, modified, or acted on records during the hold period.
The capabilities are sophisticated. The configuration is genuinely complex. Organisations that underestimate that complexity tend to leave Purview entirely unconfigured and rely on manual discipline instead. That is not a retention policy.
Advanced Purview retention and eDiscovery capabilities also depend on the Microsoft 365 licensing tier. The gap between E3 and E5 licensing is material, and not all tenants have access to the same compliance feature set.
Zoho WorkDrive
WorkDrive manages retention at the team folder level. Administrators define retention periods for folders, and the system handles archiving and removal based on those settings. The configuration is accessible without a dedicated compliance specialist, making it practical for organisations that need consistent, enforceable retention without the overhead that Purview requires.
For organisations already operating on Zoho One, WorkDrive retention integrates naturally with how the broader environment manages records. Customer data in Zoho CRM, HR records in Zoho People, and financial documents in Zoho Books each carry their own retention considerations. Managing those consistently is more achievable within a unified Zoho environment than across a fragmented multi-platform stack.
For many SMEs, consistency and enforceability matter more than advanced granularity, and WorkDrive delivers both. Its limits are real: item-level labelling with Purview’s precision is not available. Organisations in heavily regulated sectors with complex, document-level retention requirements and mandatory preservation lock obligations will reach those limits.
A broader look at WorkDrive’s document management capabilities for Nigerian SMEs is covered in our article on Zoho WorkDrive for Nigerian SMEs.
Matching Platform Capability to Policy Complexity
The right platform follows from what the retention policy requires. Organisations with a Zoho-first stack and moderate compliance obligations do not need what Purview provides. Those in financial services or healthcare, with document-level retention requirements and regulatory obligations around tamper-proof enforcement, need Purview and the licensing tier to access it fully.
Where neither platform precisely meets the requirement, a purpose-built EDMS configured around the organisation’s retention schedule may be the appropriate path. The decision framework for choosing between DMS platforms is set out in our guide to choosing an EDMS for Nigerian businesses.
One point applies to both platforms: automated retention is only as reliable as the classification and metadata structures that support it. Metadata discipline is the foundation on which the system depends, not an afterthought.
Where to Begin
Building a retention policy frequently surfaces questions about records that organisations have never formally resolved: what categories exist across the business, which regulatory obligations apply to each, and which business processes create long-term record-keeping obligations.
Those are governance questions that precede any technology decision. They also reveal that the organisation’s current approach to records is less deliberate than it appears. Getting those questions answered is where a functional retention policy begins, and where professional advisory input tends to have the clearest return.
PlanetWeb helps Nigerian organisations design retention governance frameworks and document management systems that align operational workflows, regulatory obligations, and lifecycle control from the outset. Learn more about our document management services or contact us to discuss your organisation’s requirements.
