Data retention policy requires that organisations only keep personal information of persons for a limited period of time, and not longer than is necessary. Where there is no legitimate business purpose for keeping information, businesses are required to delete personal information in their possession in accordance with a predetermined timeframe made known to the data subject. Note that a retention policy may be impacted by other laws outside of privacy regulations. For example the law of evidence and financial regulations issued by the Central Bank and the Financial Reporting Council of Nigeria impose additional requirements in respect of retention of financial information.