Contents
Collecting personal data is something almost every UK business does – whether you’re gathering customer emails for your online store, storing employee records, or simply managing your day-to-day operations. But one of the biggest questions we hear from business owners and managers is: how long should you keep personal data? Getting this right isn’t just about common sense – it’s a key part of staying compliant with the UK GDPR and the Data Protection Act 2018. Hold onto data for too long, and you risk hefty fines (not to mention damage to your reputation); delete it too soon and you could be left without crucial information you need.
If terms like “data retention period”, “GDPR”, or “personal information should be retained” leave you scratching your head, don’t stress. With the right guidance and a few solid processes in place, you’ll be set up for compliance and peace of mind.
In this guide, we’ll break down the practical steps to determine how long you should store personal data, what the law says about data retention periods in the UK, and how to create a smart policy that keeps your business protected. Let’s get started.
Why Does Data Retention Matter?
Personal data – like names, emails, bank details, medical records, and more – is highly valuable, both to your business and to cybercriminals. The more you store, and the longer you keep it, the greater the risk of accidental leaks, loss, or unauthorised access. And under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, there are now strict rules around how and when you can keep it.
Most importantly, for UK businesses of all sizes, you’re legally required to only hold onto personal data for as long as it’s necessary for the original purpose you collected it for. If you keep it for longer than this – even by accident – you could face enforcement action from the ICO (Information Commissioner’s Office), including fines or an investigation into your practices.
Data retention isn’t just a “box-ticking exercise” – it’s a cornerstone of protecting both your customers and your business. Let’s look at the rules in more detail.
What Does the Law Say About Data Retention in the UK?
The principle of “storage limitation” sits at the heart of the UK GDPR. In plain English, this means:
- You must not keep personal data for longer than is necessary for the purposes you collected it for (UK GDPR, Article 5(1)(e)).
- This also covers data that could directly or indirectly identify someone (e.g. name and address, customer ID, unique identifiers).
- You must have systems for regularly reviewing the data you hold – and securely deleting or anonymising it once it’s no longer needed.
The Data Protection Act 2018 reinforces these rules for UK businesses, making it clear that good data “housekeeping” is not optional. Failing to comply can lead to regulatory penalties, reputational harm, and in some cases, intervention by the ICO.
But here’s the catch: the law doesn’t give you a strict “GDPR 7 years” or another number for how long you keep each type of data. So how do you decide what’s “necessary”?
How Do You Decide How Long to Keep Personal Data?
There’s no one-size-fits-all answer to “GDPR, how long to keep data”. The right retention period depends on a few key factors:
- The original reason for collecting the data. Is it for a one-off transaction, an ongoing customer account, or something else?
- Any legal or regulatory requirements. For example, HMRC requires certain financial or employment data to be kept for a specific number of years (usually 6 or more).
- Industry best practices or codes of conduct. Sectors like healthcare, finance, or childcare often have their own mandatory or recommended data retention timelines.
- Your own operational needs. What does your business genuinely need to fulfil contracts, handle complaints, or defend against potential claims?
Let’s break down some examples:
- Employee personnel records: UK businesses typically keep these for the duration of employment, plus up to 6 (sometimes 7) years after the employee leaves, to meet HMRC and employment law obligations.
- Financial/accounting data: HMRC mandates you keep relevant tax and accounting records for at least 6 years.
- Customer data for one-off purchases: You may only need to keep order information for as long as the returns period or to manage any follow-up queries – once the purpose expires, you should delete or anonymise the details.
- Marketing subscriber lists: Delete people’s details as soon as they unsubscribe or withdraw their consent, unless you need to prove compliance (e.g. evidence of how they signed up for a period afterwards).
If you’re ever unsure about the relevant retention period (especially for more complex categories), it’s smart to check with a data privacy lawyer who can guide you for your industry and specific situation.
What’s a Data Retention Policy, and Do I Need One?
A data retention policy is a document that outlines exactly how long you hold different types of personal data, and how you manage data at the end of that period (secure deletion or anonymisation). Under UK GDPR, having a clear and documented retention policy is a best practice – and in some cases, a requirement (especially for larger businesses or those processing sensitive categories of data).
Your policy should include:
- A list of all categories of personal data you collect and process
- The lawful basis for processing each type (e.g. contract, legal requirement, consent)
- The retention period for each data category – and the reasoning behind those timeframes
- How, and by whom, data will be securely deleted or anonymised after the retention period
- A schedule for regular review (e.g. annually) to update and “cleanse” records
Having a policy isn’t just about following the rules – it also shows your business takes privacy seriously and can be extremely helpful if you face a legal claim, audit, or subject access request.
If you’re ready to create your own, we have more details in our guide to data privacy and retention impact assessments, or you can contact our team for help in drafting a tailored policy.
What Are the Risks of Keeping Data Too Long?
It’s easy to fall into the trap of thinking “better safe than sorry” and keeping information “just in case”. But under the GDPR, the risks of over-retention are real:
- Data breaches are more likely – the more unnecessary or outdated data you have, the bigger the “attack surface” for cyber threats or malicious insiders.
- Greater compliance risk – keeping data longer than you legally should is a clear violation and is a common reason for ICO investigations or fines.
- Reputational harm – holding on to old customer details (or failing to honour a deletion request) can erode trust and spark complaints.
- Operational inefficiency – storing and managing more data than you need eats up resources and can make finding relevant information harder.
Bottom line: Clean, up-to-date data practices are key for legal compliance and a smooth-running business.
What Are the Rights of Individuals About Their Data?
The UK GDPR gives individuals (“data subjects”) strong rights over their personal information, including:
- The right to request erasure (the “right to be forgotten”): If someone asks you to delete their personal data, you usually must do so unless you have a lawful reason to retain it (e.g. fulfilling a contract, meeting a legal obligation).
- The right to object: People can object to processing of their data for certain reasons (particularly marketing and profiling), and you’ll need clear processes to handle such requests.
- The right to access and correct: Individuals can request a copy of the data you hold about them and have inaccuracies corrected or removed.
Having a robust retention policy and deletion process makes it easier to honour these rights promptly. For more on subject access requests and your legal duties, check out our guide to the ‘right to be forgotten’.
How Should Personal Data Be Deleted or Anonymised?
Secure deletion is just as important as secure storage. Once a retention period is up, or a data subject exercises their right to erasure, you must ensure the data is truly removed from your systems:
- Erase data from all live, backup, and cloud systems where feasible
- Use certified deletion tools or data destruction services for paper and digital records
- If you have a legitimate business or legal need to keep a record, consider anonymising the data so the individual can’t be identified (taking care that de-anonymisation isn’t possible)
- Document your deletion process in your policy – so you can demonstrate compliance if required
More detailed guidance can be found in our resources on data breach response planning and privacy policy drafting for GDPR.
Data Retention: Step-by-Step Checklist For Businesses
Ready to get your practices in shape? Here are the key steps for GDPR data retention compliance in the UK:
- Inventory the types and sources of personal data you collect (customer, employee, client, etc.).
- Identify any legal or regulatory requirements that dictate minimum (or maximum) retention periods for each data type.
- Set a documented retention period for every data category you process, based on necessity, law, and risk.
- Draft a clear Data Retention Policy that covers timelines, responsibilities, and secure deletion or anonymisation procedures.
- Train staff so everyone understands their role in following retention processes and data protection more broadly (see staff handbooks and workplace policies in our HR compliance resources).
- Review and update your retention schedule and policies at least annually, or when business processes change.
- Establish a system for regularly auditing current data holdings, deleting what’s expired, and responding to subject requests quickly and efficiently.
How Does “7 Years” Fit In? (GDPR Data Retention Myths)
A common question is whether UK businesses must keep all data for 7 years, or if this is the default retention period under GDPR. The answer: there is no universal “7 year rule” under UK GDPR! The 6-7 year period comes from specific legal requirements, such as HMRC’s record-keeping obligations for tax and employment contracts.
It’s essential to check the relevant law for each data type. Some data (like contracts, financials, or accident records) may have explicit retention rules, while others (like unsolicited job applications or marketing opt-ins) may only be retained for as long as the business case exists (often much shorter than 7 years).
If you aren’t sure which laws apply to your industry or data types, professional guidance can help you avoid both over-retention and premature deletion.
Key Takeaways
- UK GDPR and the Data Protection Act 2018 require that personal data is not kept for longer than necessary for its original purpose.
- There’s no “one-size-fits-all” answer – retention periods should reflect your reasons for processing, any legal obligations (like the usual 6 years for HMRC records), and industry requirements.
- A written data retention policy helps you demonstrate compliance, respond to subject requests promptly, and manage information securely.
- Over-retention increases your risk of data breaches, compliance fines, and reputational damage.
- Secure deletion or anonymisation is a legal requirement when data is no longer needed; keeping data “just in case” is not permitted.
- Regular policy reviews and staff training are vital for continued compliance.
- If you’re unsure, tailor-made legal advice will make sure your specific business and sector needs are covered.
If you’d like support with your data retention policies, handling a tricky data subject request, or understanding which laws apply to your sector, our friendly team can help. You can reach us at 08081347754 or [email protected] for a free, no-obligations chat about getting your business protected and compliant.
Meet some of our Data & Privacy Lawyers
Get in touch now!
We'll get back to you within 1 business day.
Book in a free consultation with us to discuss your legal needs.