How long should I keep personal data?

There is no single answer under UK law. Retention periods depend on the purpose of the data, legal requirements and business needs. British financial records must be kept for at least six years for HMRC purposes. Other data should only be kept as long as necessary for its original purpose under English law.

Do I need a retention policy to comply with UK GDPR?

While the UK GDPR does not explicitly require a written retention policy, the storage limitation and accountability principles effectively make one necessary. The ICO expects organisations to have documented retention schedules.

What happens if I keep data too long?

Keeping personal data beyond its necessary retention period breaches the UK GDPR storage limitation principle and may result in enforcement action by the UK ICO, including fines in England and Wales. It also increases the risk and impact of data breaches for British organisations.

How do I securely dispose of data?

Electronic data should be permanently deleted using secure erasure software. Physical records should be cross-cut shredded or professionally destroyed. Certificates of destruction should be obtained and retained as evidence.

Can I keep data indefinitely for research purposes?

Article 5(1)(e) allows data to be stored for longer periods for archiving in the public interest, scientific or historical research, or statistical purposes, provided appropriate safeguards are in place under Article 89.

What is a legal hold?

A legal hold suspends the normal disposal of data when it is relevant to ongoing or reasonably anticipated litigation, regulatory investigation or audit. Data subject to a legal hold must be preserved until the hold is lifted.

How often should I review the retention policy?

The policy should be reviewed at least annually and whenever there are significant changes to your processing activities, legal requirements or business operations.

Does this policy cover paper records as well?

Yes. The retention policy should cover all personal data regardless of format, including paper files, electronic records, emails, databases and backup media.

GDPR & PrivacyUnited Kingdom

Free Data Retention Policy Template

A data retention policy sets out how long your organisation keeps personal data and when it should be securely deleted. Use our free UK template to create a policy that meets the UK GDPR storage limitation principle and demonstrates accountability.

Create Your Data Retention Policy

Free to useInstant PDFNo account required

DATA RETENTION POLICY

Acme Holdings Ltd · Version 1.0 · Effective: 2026-04-01

DPO: Sarah Johnson

Contact: dpo@acmeholdings.co.uk

INTRODUCTION AND SCOPE

Acme Holdings Ltd ("the Organisation") is committed to managing personal data responsibly and in compliance with applicable data protection legislation. This Data Retention Policy sets out the periods for which different categories of data are retained, the legal basis for such retention, and the procedures for secure disposal.

This Policy applies to all personal data processed by the Organisation in any format (paper and electronic). It should be read alongside the Organisation's Privacy Policy and Information Security Policy.

This Policy complies with: the UK General Data Protection Regulation (UK GDPR); the Data Protection Act 2018; the Limitation Act 1980; the Companies Act 2006; HMRC record-keeping requirements; and relevant sector-specific requirements.

RETENTION PRINCIPLES

Under UK GDPR Article 5(1)(e) (storage limitation), personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed.

The Organisation shall: (a) retain data only for as long as necessary for its original purpose or a compatible purpose; (b) ensure a legal basis exists for each retention period; (c) securely dispose of data at the end of the retention period; and (d) document retention decisions and review them regularly.

RETENTION SCHEDULE

Data Category	Retention Period	Legal Basis	Disposal Method
Employee Records	Duration of employment + 6 years	Limitation Act 1980 (s.5 - contract)	Secure deletion
Recruitment Records	6 months (unsuccessful) / duration of employment (if hired)	UK GDPR Art.6(1)(f) - legitimate interests	Secure deletion
Customer / Client Data	Duration of contract + 6 years	Limitation Act 1980 (s.5 - contract)	Secure deletion
Financial / Tax Records	6 years from end of financial year	UK GDPR Art.6(1)(c) - legal obligation (HMRC)	Secure deletion
Health and Safety Records	3 years (general) / 40 years (asbestos, radiation)	UK GDPR Art.6(1)(c) - legal obligation	Secure deletion
CCTV Footage	30 days (unless incident under investigation)	UK GDPR Art.6(1)(f) - legitimate interests	Secure deletion
Marketing Consents	Until consent withdrawn + 1 year	UK GDPR Art.6(1)(a) - consent	Secure deletion
Website Analytics Data	26 months	UK GDPR Art.6(1)(f) - legitimate interests	Secure deletion

DISPOSAL PROCEDURES

At the end of the relevant retention period, personal data shall be disposed of securely using the following methods:

Secure deletion: Electronic data is permanently deleted using methods that prevent recovery (e.g. overwriting, degaussing, or certified data destruction software).

Shredding: Paper records are cross-cut shredded using a DIN 66399 Level P-4 or higher shredder, or sent to a certified confidential waste contractor.

Anonymisation: Where data is retained for statistical or analytical purposes, all identifying information is removed such that individuals can no longer be identified.

EXCEPTIONS TO STANDARD RETENTION

The standard retention periods set out in this Policy may be extended where any of the following circumstances apply:

Legal hold / litigation
Ongoing disputes
Regulatory investigation
Subject access request

When a legal hold or regulatory investigation is active, affected data must not be disposed of regardless of retention period expiry until the hold is formally lifted.

RESPONSIBILITIES AND REVIEW

Data Protection Officer with support from departmental managers

Annual review process: The DPO will conduct an annual audit of all data held against the retention schedule, flagging any data held beyond its retention period for review and disposal.

LEGAL REFERENCES

This Policy references and has been prepared in accordance with the following legislation and guidance:

UK General Data Protection Regulation (UK GDPR) — Article 5(1)(e) storage limitation principle; Article 6 lawful bases for processing
Data Protection Act 2018
Limitation Act 1980 — 6-year limitation period for contract claims (s.5)
Companies Act 2006 — accounting records retention (s.386: 3 years for private companies, 6 years for public companies)
HMRC record-keeping requirements — 6 years for tax and VAT records
Health and Safety at Work Act 1974 and associated regulations
ICO Guidance on storage limitation and records retention

Policy owner: Board of Directors
Approved on: 2026-04-01

What Is a Data Retention Policy?

A data retention policy is an internal document that defines how long different categories of personal data are kept, the criteria for determining retention periods and the procedures for secure disposal when data is no longer needed.

Article 5(1)(e) of the UK GDPR establishes the storage limitation principle, which requires that personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. A retention policy operationalises this principle.

A clear UK data retention policy is essential for UK GDPR compliance, helps British organisations manage storage costs, reduces the risk of data breaches and demonstrates that your organisation takes data protection seriously in England and Wales. The UK ICO expects organisations to have documented retention policies.

What's Covered in This Template

Our data retention policy template provides a comprehensive framework for managing data lifecycle.

Policy Scope and Purpose

Who the policy applies to, its objectives and the data protection principles it supports.

Retention Schedule

A structured table listing each data category, its purpose, lawful basis, retention period and disposal method.

Employee Records

Retention periods for staff files, payroll data, recruitment records and training certificates.

Customer and Client Data

How long customer records, transaction data, contracts and correspondence are retained.

Financial Records

Retention periods aligned with HMRC requirements, Companies Act obligations and audit needs.

Marketing Data

Retention rules for consent records, mailing lists, campaign data and opt-out preferences.

Secure Disposal Procedures

Methods for securely deleting electronic data and destroying physical records when retention periods expire.

Legal Hold Provisions

Process for suspending normal disposal when data is relevant to ongoing or anticipated legal proceedings.

Roles and Responsibilities

Who is responsible for implementing the policy, conducting reviews and authorising exceptions.

Review and Update Schedule

How often the policy and retention schedule will be reviewed and who is responsible for updates.

How to Create a Data Retention Policy

Follow these steps to build a practical retention policy for your organisation.

1
Audit Your Data
Identify all categories of personal data your organisation holds, where it is stored, why it is processed and the lawful basis for processing.
2
Determine Retention Periods
Set appropriate retention periods for each data category based on legal requirements, contractual obligations and business necessity.
3
Define Disposal Procedures
Specify how data will be securely deleted or destroyed when the retention period expires, covering both electronic and physical records.
4
Assign Responsibilities
Designate who is responsible for monitoring retention periods, authorising disposal and handling exceptions such as legal holds.
5
Publish and Train
Distribute the policy to all relevant staff, provide training on its requirements and schedule regular reviews to keep it current.

Legal Considerations

Data retention involves balancing UK GDPR requirements with other legal obligations that mandate keeping records.

This template is for informational purposes only and does not constitute legal advice. Consult a qualified solicitor for advice specific to your situation.

Reviewed for England & Wales law

Storage Limitation Principle

Article 5(1)(e) of the UK GDPR requires that personal data is not kept longer than necessary in the United Kingdom. The UK ICO expects British organisations to have clear policies, regularly review retained data and be able to justify their retention periods. Data kept without a valid purpose or beyond its retention period is non-compliant under English data protection law.

Statutory Retention Requirements

Certain UK laws require data to be kept for minimum periods. HMRC requires British financial records to be retained for six years. The UK Limitation Act 1980 sets a six-year limitation period for most contractual claims in England and Wales. British employment records may need to be kept for specific periods under UK employment legislation.

Right to Erasure

Under Article 17 of the UK GDPR, British data subjects have the right to request deletion of their personal data in certain circumstances. Your UK retention policy should include a process for handling erasure requests and explain when British retention obligations may override the right to erasure under English law.

Accountability and Documentation

Article 5(2) of the UK GDPR requires British organisations to demonstrate compliance with data protection principles. A documented UK retention policy, regularly reviewed and followed in practice, is key evidence of accountability and can help defend against UK ICO enforcement action in England and Wales.

Frequently Asked Questions

Create Your Data Retention Policy Now

Demonstrate accountability and manage your data lifecycle effectively. Fill in the details, preview your policy and download it as a PDF in minutes.

Create Your Data Retention Policy Browse All Templates

Free · Instant PDF · No account required