Accurate
Country-specific legal content
Drafted with legal expertise for each jurisdiction, far more thorough than AI-generated drafts that copy generic clauses across borders.
GDPR & PrivacyUnited Kingdom
Free Data Retention Policy Template
A data retention policy sets out how long your organisation keeps personal data and when it should be securely deleted. Use our free UK template to create a policy that meets the UK GDPR storage limitation principle and demonstrates accountability.
Free to useInstant PDFNo account required
PDF (free) + editable Word (.docx) with Expert
DATA RETENTION POLICY
Acme Holdings Ltd · Version 1.0 · Effective: 2026-04-01
DPO: Sarah Johnson
Contact: dpo@acmeholdings.co.uk
1.
INTRODUCTION AND SCOPE
Acme Holdings Ltd ("the Organisation", registered at 100 Business Park, London EC2V 8RT) is committed to managing personal data responsibly and in compliance with applicable data protection legislation. This Data Retention Policy sets out the periods for which different categories of data are retained, the legal basis for such retention, and the procedures for secure disposal.
This Policy applies to all personal data processed by the Organisation in any format (paper and electronic). It should be read alongside the Organisation's Privacy Policy and Information Security Policy.
This Policy complies with: the UK General Data Protection Regulation (UK GDPR); the Data Protection Act 2018; the Limitation Act 1980; the Companies Act 2006; HMRC record-keeping requirements; and relevant sector-specific requirements.
This Policy applies to all personal data processed by the Organisation in any format (paper and electronic). It should be read alongside the Organisation's Privacy Policy and Information Security Policy.
This Policy complies with: the UK General Data Protection Regulation (UK GDPR); the Data Protection Act 2018; the Limitation Act 1980; the Companies Act 2006; HMRC record-keeping requirements; and relevant sector-specific requirements.
2.
RETENTION PRINCIPLES
Under UK GDPR Article 5(1)(e) (storage limitation), personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed.
The Organisation shall: (a) retain data only for as long as necessary for its original purpose or a compatible purpose; (b) ensure a legal basis exists for each retention period; (c) securely dispose of data at the end of the retention period; and (d) document retention decisions and review them regularly.
The Organisation shall: (a) retain data only for as long as necessary for its original purpose or a compatible purpose; (b) ensure a legal basis exists for each retention period; (c) securely dispose of data at the end of the retention period; and (d) document retention decisions and review them regularly.
3.
RETENTION SCHEDULE
| Data Category | Retention Period | Legal Basis | Disposal Method |
|---|---|---|---|
| Employee Records | Duration of employment + 6 years | Limitation Act 1980 (s.5 - contract) | Secure deletion |
| Recruitment Records | 6 months (unsuccessful) / duration of employment (if hired) | UK GDPR Art.6(1)(f) - legitimate interests | Secure deletion |
| Customer / Client Data | Duration of contract + 6 years | Limitation Act 1980 (s.5 - contract) | Secure deletion |
| Financial / Tax Records | 6 years from end of financial year | UK GDPR Art.6(1)(c) - legal obligation (HMRC) | Secure deletion |
| Health and Safety Records | 3 years (general) / 40 years (asbestos, radiation) | UK GDPR Art.6(1)(c) - legal obligation | Secure deletion |
| CCTV Footage | 30 days (unless incident under investigation) | UK GDPR Art.6(1)(f) - legitimate interests | Secure deletion |
| Marketing Consents | Until consent withdrawn + 1 year | UK GDPR Art.6(1)(a) - consent | Secure deletion |
| Website Analytics Data | 26 months | UK GDPR Art.6(1)(f) - legitimate interests | Secure deletion |
4.
DISPOSAL PROCEDURES
At the end of the relevant retention period, personal data shall be disposed of securely using the following methods:
Secure deletion: Electronic data is permanently deleted using methods that prevent recovery (e.g. overwriting, degaussing, or certified data destruction software).
Shredding: Paper records are cross-cut shredded using a DIN 66399 Level P-4 or higher shredder, or sent to a certified confidential waste contractor.
Anonymisation: Where data is retained for statistical or analytical purposes, all identifying information is removed such that individuals can no longer be identified.
Secure deletion: Electronic data is permanently deleted using methods that prevent recovery (e.g. overwriting, degaussing, or certified data destruction software).
Shredding: Paper records are cross-cut shredded using a DIN 66399 Level P-4 or higher shredder, or sent to a certified confidential waste contractor.
Anonymisation: Where data is retained for statistical or analytical purposes, all identifying information is removed such that individuals can no longer be identified.
5.
EXCEPTIONS TO STANDARD RETENTION
The standard retention periods set out in this Policy may be extended where any of the following circumstances apply:
When a legal hold or regulatory investigation is active, affected data must not be disposed of regardless of retention period expiry until the hold is formally lifted.
- Legal hold / litigation
- Ongoing disputes
- Regulatory investigation
- Subject access request
When a legal hold or regulatory investigation is active, affected data must not be disposed of regardless of retention period expiry until the hold is formally lifted.
6.
RESPONSIBILITIES AND REVIEW
Data Protection Officer with support from departmental managers
Annual review process: The DPO will conduct an annual audit of all data held against the retention schedule, flagging any data held beyond its retention period for review and disposal.
Annual review process: The DPO will conduct an annual audit of all data held against the retention schedule, flagging any data held beyond its retention period for review and disposal.
7.
LEGAL REFERENCES
This Policy references and has been prepared in accordance with the following legislation and guidance:
UK General Data Protection Regulation (UK GDPR) — Article 5(1)(e) storage limitation principle; Article 6 lawful bases for processing
Data Protection Act 2018
Limitation Act 1980 — 6-year limitation period for contract claims (s.5)
Companies Act 2006 — accounting records retention (s.386: 3 years for private companies, 6 years for public companies)
HMRC record-keeping requirements — 6 years for tax and VAT records
Health and Safety at Work Act 1974 and associated regulations
ICO Guidance on storage limitation and records retention
Policy owner: Board of Directors
Approved on: 2026-04-01
UK General Data Protection Regulation (UK GDPR) — Article 5(1)(e) storage limitation principle; Article 6 lawful bases for processing
Data Protection Act 2018
Limitation Act 1980 — 6-year limitation period for contract claims (s.5)
Companies Act 2006 — accounting records retention (s.386: 3 years for private companies, 6 years for public companies)
HMRC record-keeping requirements — 6 years for tax and VAT records
Health and Safety at Work Act 1974 and associated regulations
ICO Guidance on storage limitation and records retention
Policy owner: Board of Directors
Approved on: 2026-04-01
Available as a print-ready PDF or an editable Microsoft Word (.docx) file.
What Is a Data Retention Policy?
A data retention policy is an internal document that defines how long different categories of personal data are kept, the criteria for determining retention periods and the procedures for secure disposal when data is no longer needed.
Article 5(1)(e) of the UK GDPR establishes the storage limitation principle, which requires that personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. A retention policy operationalises this principle.
A clear UK data retention policy is essential for UK GDPR compliance, helps British organisations manage storage costs, reduces the risk of data breaches and demonstrates that your organisation takes data protection seriously in England and Wales. The UK ICO expects organisations to have documented retention policies.
What's Covered in This Template
Our data retention policy template provides a comprehensive framework for managing data lifecycle.
Policy Scope and Purpose
Who the policy applies to, its objectives and the data protection principles it supports.
Retention Schedule
A structured table listing each data category, its purpose, lawful basis, retention period and disposal method.
Employee Records
Retention periods for staff files, payroll data, recruitment records and training certificates.
Customer and Client Data
How long customer records, transaction data, contracts and correspondence are retained.
Financial Records
Retention periods aligned with HMRC requirements, Companies Act obligations and audit needs.
Marketing Data
Retention rules for consent records, mailing lists, campaign data and opt-out preferences.
Secure Disposal Procedures
Methods for securely deleting electronic data and destroying physical records when retention periods expire.
Legal Hold Provisions
Process for suspending normal disposal when data is relevant to ongoing or anticipated legal proceedings.
Roles and Responsibilities
Who is responsible for implementing the policy, conducting reviews and authorising exceptions.
Review and Update Schedule
How often the policy and retention schedule will be reviewed and who is responsible for updates.
How to Create a Data Retention Policy
Follow these steps to build a practical retention policy for your organisation.
- 1
Audit Your Data
Identify all categories of personal data your organisation holds, where it is stored, why it is processed and the lawful basis for processing.
- 2
Determine Retention Periods
Set appropriate retention periods for each data category based on legal requirements, contractual obligations and business necessity.
- 3
Define Disposal Procedures
Specify how data will be securely deleted or destroyed when the retention period expires, covering both electronic and physical records.
- 4
Assign Responsibilities
Designate who is responsible for monitoring retention periods, authorising disposal and handling exceptions such as legal holds.
- 5
Publish and Train
Distribute the policy to all relevant staff, provide training on its requirements and schedule regular reviews to keep it current.
Why Doxuno documents are different
Four things that make our templates more thorough than AI-generated drafts and more current than static template libraries.
Always current
Always current with the law
Templates carrying statute references are continuously updated as the law changes. Your document always reflects the current legal framework.
Free PDF
Print-ready PDF
Free to download. Vector text, embedded fonts, statute citations baked in. Print, sign, file. Ready for any signing flow including electronic signature.
Word · .docx
Editable Word (.docx)
Continue editing in Word after download. Add custom clauses, reuse the template for similar agreements, or share with a colleague for collaborative review.
Requires Expert one-time unlock or any paid Doxuno subscription.
Legal Considerations
Data retention involves balancing UK GDPR requirements with other legal obligations that mandate keeping records.
This template is for informational purposes only and does not constitute legal advice. Consult a qualified solicitor for advice specific to your situation.
Reviewed for England & Wales law
Storage Limitation Principle
Article 5(1)(e) of the UK GDPR requires that personal data is not kept longer than necessary in the United Kingdom. The UK ICO expects British organisations to have clear policies, regularly review retained data and be able to justify their retention periods. Data kept without a valid purpose or beyond its retention period is non-compliant under English data protection law.
Statutory Retention Requirements
Certain UK laws require data to be kept for minimum periods. HMRC requires British financial records to be retained for six years. The UK Limitation Act 1980 sets a six-year limitation period for most contractual claims in England and Wales. British employment records may need to be kept for specific periods under UK employment legislation.
Right to Erasure
Under Article 17 of the UK GDPR, British data subjects have the right to request deletion of their personal data in certain circumstances. Your UK retention policy should include a process for handling erasure requests and explain when British retention obligations may override the right to erasure under English law.
Accountability and Documentation
Article 5(2) of the UK GDPR requires British organisations to demonstrate compliance with data protection principles. A documented UK retention policy, regularly reviewed and followed in practice, is key evidence of accountability and can help defend against UK ICO enforcement action in England and Wales.
Frequently Asked Questions
Create Your Data Retention Policy Now
Demonstrate accountability and manage your data lifecycle effectively. Fill in the details, preview your policy and download it as a PDF in minutes.
Free PDF · Editable Word with Expert · No account required