Does UK GDPR require a data retention policy?

UK GDPR does not explicitly require a written retention policy, but having one is considered a key accountability measure by the ICO. A documented retention schedule — listing each data category, its retention period, the legal basis for that period, and the deletion or review process — demonstrates compliance with the storage limitation principle and is expected in any ICO audit or investigation.

GDPR Data Retention: How Long Can You Keep Personal Data?

Q: How long can you keep personal data under UK GDPR?

UK GDPR does not prescribe specific retention periods for most data types. Instead, the storage limitation principle requires that personal data is kept only for as long as necessary for the purpose it was collected. Organisations must determine their own retention periods based on the purpose of processing, any applicable legal or regulatory requirements, and what is genuinely needed to fulfil that purpose.

Q: What happens if you keep personal data for longer than necessary?

Retaining personal data beyond its legitimate retention period is a breach of the storage limitation principle under Article 5(1)(e) of UK GDPR. The ICO can investigate and take enforcement action. In practice, the ICO is most likely to pursue this issue where over-retention is combined with other compliance failures — for example, where a breach occurs and the data involved should have been deleted years earlier.

Many organisations that have invested significant effort in their lawful bases, privacy notices and SAR processes have barely touched their data retention practices. The result is a common but serious compliance gap: data held in systems long past its useful life, with no documented justification and no deletion process in place.

When a data breach occurs — and for many organisations, it eventually does — the extent of data held becomes suddenly relevant. Data that should have been deleted years ago is now in scope. The ICO's investigation into the breach becomes, in part, an investigation into why the data existed at all.

This guide explains the storage limitation principle, how to set lawful retention periods, how to build a retention schedule, and how a DPO keeps the policy live rather than letting it gather dust.

The Storage Limitation Principle: What the Law Requires

Article 5(1)(e) of UK GDPR requires that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

In plain terms: you can keep personal data for as long as you genuinely need it for the purpose you collected it. Once that purpose has been fulfilled — or can reasonably be met without the data — it should be deleted, anonymised or archived in a way that removes the ability to identify individuals.

Crucially, UK GDPR does not specify retention periods for most data types. There is no single answer to "how long can we keep employee records" or "how long should we retain customer data". The answer depends on the purpose, the legal context and the genuine needs of your organisation.

The accountability requirement

Under Article 5(2) of UK GDPR, you must be able to demonstrate compliance with the storage limitation principle. This means having documented retention periods with a clear rationale — not just a general policy statement that data is kept "no longer than necessary".

How to Determine Lawful Retention Periods

Setting retention periods requires asking a structured set of questions for each category of personal data your organisation holds:

Why was this data collected?

Start with the purpose. Employee payroll data was collected to pay staff correctly and to meet tax obligations. Customer contact data was collected to fulfil orders and provide after-sales support. The purpose defines the outer boundary of how long the data is needed.

Are there legal or regulatory requirements that define the period?

Many data types have retention periods defined or implied by other legislation. Employers must retain certain payroll records for at least three years under HMRC rules. Financial services firms must retain transaction records for specific periods under FCA requirements. Healthcare providers have NHS retention guidance. Where a legal minimum exists, your retention period must at least meet it — but you should also consider whether there are reasons to keep data longer.

What is the legitimate business need beyond the legal minimum?

Even where no legal minimum exists, there may be genuine business reasons to retain data beyond its immediate purpose. Potential litigation is the most common example — retaining employee records for six years after employment ends protects against employment claims that may arise under the Limitation Act 1980. Retaining financial records beyond the HMRC minimum may be prudent given the potential for tax investigations.

These business justifications must be genuine and documented. "We might need it one day" is not a sufficient reason to retain personal data indefinitely.

Does retention create disproportionate risk for individuals?

The longer data is held, the greater the risk if it is subject to a breach, an unauthorised access event, or a SAR. Highly sensitive data — medical records, financial information, criminal conviction data — should be retained only for as long as genuinely necessary, and the retention decision should be revisited regularly.

Common Retention Periods: A Reference Guide

The following are common retention periods used by UK organisations. These are starting points based on typical legal requirements and business practice — your own retention periods should be set based on your specific purposes and confirmed with your DPO.

Data Category	Typical Retention Period	Key Driver
Employee payroll records	6 years after tax year end	HMRC / Limitation Act
Employment contracts	6 years after employment ends	Employment claims limitation period
HR records (general)	6 years after employment ends	Employment tribunal exposure
Recruitment records (unsuccessful)	6–12 months after process ends	Discrimination claim limitation period
Customer contracts	6 years after contract ends	Limitation Act 1980
Financial / accounting records	6 years from end of financial year	Companies Act / HMRC
CCTV footage	31 days (typical) unless used as evidence	ICO CCTV guidance
Website enquiry data	12–24 months if no contract formed	Business purpose
Marketing contact data	Until consent withdrawn or 2 years inactive	PECR / UK GDPR consent
Health records (NHS)	8 years after last contact (adult)	NHS Records Management Code

Building a Retention Schedule

A retention schedule is a documented register of every category of personal data your organisation holds, the retention period for each, the legal basis or business justification for that period, and the process for deletion or review when the period expires.

An effective retention schedule typically covers:

Data category — what type of personal data (e.g. employee HR files, customer invoices, CCTV footage)
Data location — where the data is held (HR system, shared drive, cloud storage, physical files)
Retention period — how long from what trigger event (e.g. 6 years from end of employment)
Legal basis for retention — the specific legislation, regulatory requirement or business justification
Review or deletion process — who is responsible for ensuring deletion happens, and how it is verified
Review date — when the schedule itself should be reviewed to ensure it remains current

Common mistake

Creating a retention schedule as a one-time project and never revisiting it. As your organisation's processing activities evolve — new systems, new products, new legal requirements — the retention schedule must be updated. A DPO's role includes an annual review of the schedule to ensure it remains accurate and compliant.

Deletion, Anonymisation and Archiving

At the end of the retention period, data should be securely deleted, anonymised (in a way that is genuinely irreversible), or in some cases archived in a controlled way that restricts access and use.

Secure deletion means different things for different formats. For digital data, it typically means using certified deletion tools that overwrite data rather than simply removing it from an active directory. For paper records, it means shredding to the appropriate DIN 66399 standard. For cloud-based data, it means ensuring deletion from all storage locations — including backups — within the agreed timescales.

Anonymisation is sometimes used as an alternative to deletion — retaining the data for statistical or analytical purposes in a form that can no longer be linked to identifiable individuals. If done properly, anonymised data falls outside the scope of UK GDPR. But genuinely effective anonymisation is technically demanding, and organisations that claim data is anonymised when it can in fact be re-identified are taking a significant compliance risk.

Is your data retention policy genuinely compliant?

Our outsourced DPO service includes a full review of your retention practices, a documented retention schedule and an annual review cycle — so you're not just compliant on day one but remain compliant as your organisation evolves. From £695/month.

Book a Free Consultation →

The DPO's Role in Ongoing Retention Compliance

A retention policy that exists on paper but is not implemented in practice provides no real protection. The DPO's role in retention compliance goes beyond drafting the initial schedule:

Annual schedule reviews — ensuring retention periods remain appropriate as legislation changes and the organisation's processing activities evolve
System audits — periodically verifying that deletion processes are actually working across each data category and system
New processing assessments — when new data categories or systems are introduced, ensuring retention periods are defined before data starts accumulating
Staff training — ensuring that the people responsible for managing data in each system understand the retention rules and their obligations
Incident response integration — when a SAR or breach occurs, the retention schedule determines what data should still exist — and helps explain any data that has been legitimately deleted

Frequently Asked Questions

How long can you keep personal data under UK GDPR?

UK GDPR does not set fixed retention periods for most data types. You must keep personal data only for as long as is necessary for the purpose it was collected. The specific period depends on the purpose, any applicable legal requirements and your documented business justification.

Does UK GDPR require a written data retention policy?

Not explicitly — but the accountability principle requires you to be able to demonstrate compliance with the storage limitation principle. In practice, a documented retention schedule listing each data category, its retention period and the justification is expected by the ICO and is considered a fundamental governance document.

What happens if you keep personal data for longer than necessary?

Over-retention is a breach of the storage limitation principle. The ICO can investigate and take enforcement action. The risk is compounded if a breach or SAR reveals data that should have been deleted — both the breach response and the ICO investigation are made significantly more complex by data that should not have existed.

Can you keep data indefinitely for legal defence purposes?

No. While potential litigation is a legitimate reason to extend retention beyond its primary purpose, this must be proportionate and time-limited. The relevant limitation period under the Limitation Act 1980 (typically six years for most civil claims) provides a sensible outer boundary for most records retained for this purpose.

Does the right to erasure override your retention policy?

Not automatically. The right to erasure under Article 17 of UK GDPR can be overridden where you have a legal obligation to retain the data, where the data is necessary for the establishment or defence of legal claims, or where other specific exemptions apply. Your DPO should assess erasure requests individually against your retention justifications rather than applying a blanket policy.