When there is no available law or regulation to set a retention rule for records and data, many organizations fill in this gap by applying a limitation period as the retention rule. However, broadly applying this approach presents the risk of over-retention, and forgets the basis for using limitation periods in the first place. 

Rather than applying limitation periods by rote, organizations should conduct a risk-based analysis to determine whether there is a material risk of dispute in this area. 

In Connect on Tech, Lisa Douglas and I wrote about using a risk-based approach for limitation periods, and other things to consider when applying limitation periods in an information governance retention program. While organizations may not always want  keep information for the full extent of the applicable limitation period, the best practice is to apply limitation periods where there is a significant risk of claims.