Guide
Create a data retention policy
How to write and implement a data retention policy that satisfies the UK GDPR storage limitation principle. Covers what to include, how to build a retention schedule, secure disposal procedures, and how to demonstrate accountability to the ICO.
A data retention policy is a documented set of rules that defines how long your business keeps different types of personal data and what happens to it when the retention period ends. Under UK GDPR, keeping personal data for longer than necessary is a breach of the storage limitation principle — one of the seven core data protection principles.
You need a data retention policy if you hold any personal data about customers, employees, suppliers, or any other individuals. This applies regardless of your business size. Without one, you cannot demonstrate to the ICO that you are managing retention lawfully, and you risk holding data you no longer have a right to keep.
When this applies to your business
You need to act if any of the following apply:
- You do not have a written retention policy
- You have a policy but it has not been reviewed in the past two years
- Your retention periods are not documented in your records of processing activities (ROPA)
- You have no process for deleting or disposing of data at the end of its retention period
The storage limitation principle and what it requires
UK GDPR Article 5(1)(e) states that personal data must be kept in a form that permits identification of individuals for no longer than is necessary for the purposes for which it is processed. There is no single answer to how long "necessary" is — it depends on the specific purpose and any legal requirements that apply to that category of data.
Step-by-step: building your retention policy
Follow these steps to create a retention policy that meets ICO expectations and is practical to operate.
-
1. Map what personal data you hold
List every category of personal data your business processes, organised by business function. Common categories include: customer records, employee and HR files, supplier contacts, marketing lists, financial and invoice records, website and analytics data, CCTV footage, and correspondence archives. For each category, note where it is held (CRM, email, paper files, cloud storage, backups) and who is responsible for it. You cannot set retention periods for data you have not identified.
-
2. Identify the legal basis and purpose for each category
For each category of personal data, confirm why you hold it and which lawful basis applies. This matters for retention because the legal basis often dictates the minimum period (for example, employment law may require you to keep payroll records for six years) or determines when you can no longer justify continued processing (for example, once a contract ends, there may be no continuing basis to hold the customer's personal details beyond a limitation period). If you cannot identify a current purpose, the data should be deleted.
-
3. Research the statutory minimums and maximums that apply
Some categories of data are subject to specific statutory retention periods that override the general principle. Check which of these apply to your business. HMRC requires most tax and accounting records to be kept for six years from the end of the accounting period. Employment records should generally be kept for six years after an employee leaves (to cover limitation periods for employment claims). Health and safety accident books must be kept for three years. Clinical health records are subject to longer periods. Where a statutory minimum applies, you must keep the data at least that long but not indefinitely beyond it.
-
4. Set your retention periods by category
For each category of personal data, set a specific retention period justified by purpose, legal requirements, and limitation periods. Express periods as a defined timeframe (for example, "six years from the end of the financial year in which the record was created") rather than vague language such as "as long as necessary". Where data is held for multiple purposes with different periods, the longest period applies, after which the data must be reviewed or deleted. Document the justification for each period.
-
5. Define secure disposal procedures
For each category, specify how data will be disposed of when the retention period ends. For paper records: cross-cut shredding, or use of a certified document destruction contractor. For digital data: secure deletion using approved tools (not just moving to the Recycle Bin), or certified destruction for physical media such as hard drives. Backup copies and archived versions must be included in disposal — data deleted from live systems but retained in backups is still held in breach of your policy. Record disposal actions as evidence of compliance.
-
6. Document the policy and update your ROPA
Write the retention policy as a formal document, approved by a senior decision-maker (ideally a director or DPO). Include: scope, the retention schedule, disposal procedures, roles and responsibilities, and the review cycle. Update your records of processing activities (ROPA) to include the retention periods for each processing activity. The ICO can request to see both documents. Ensure the retention schedule is accessible to the staff who manage data in each category.
-
7. Implement regular reviews and a deletion workflow
A retention policy is only effective if it is acted on. Set up a process — at least annually — to review data held against the schedule and delete or dispose of anything that has exceeded its retention period. Assign responsibility for each category to a named individual. Consider whether your systems support automated deletion at end-of-period (many modern CRM and HR platforms offer this). Record the outcome of each review to demonstrate ongoing accountability.
What your retention schedule must cover
The retention schedule is the core of your policy — a table or list that maps each category of personal data to a retention period and disposal method. A complete schedule should cover at least the following standard business categories:
- Employee records: Contract, payroll, performance, disciplinary — typically 6 years after employment ends
- Recruitment records: CVs, interview notes of unsuccessful candidates — typically 6-12 months
- Customer records: Contact and transaction data — varies by contract type and limitation period; commonly 6 years from last transaction
- Supplier records: Contracts and correspondence — typically 6 years from contract end
- HMRC and financial records: VAT records, accounts, payroll — 6 years from end of the relevant tax year
- CCTV footage: Unless needed for an incident — typically 30 days
- Marketing and consent records: Opt-in consents and their basis — for the life of the marketing relationship, plus evidence of consent for 3 years after the last contact
- Website logs and analytics: Typically 13 months unless anonymised sooner
- Health and safety accident records: 3 years from date of entry in accident book
This is a starting point. Your own schedule must reflect the specific categories your business actually holds. The ICO does not prescribe fixed periods for most categories — you must make a documented, justifiable decision for each one.
Linking retention to your records of processing activities
UK GDPR Article 30 requires you to maintain records of processing activities (ROPA). Retention periods are a mandatory element of the ROPA. If your policy is well-constructed, your ROPA will already reflect the same categories and periods — the two documents should be consistent and should be updated together.
Northern Ireland and devolved considerations
Penalties for failing to manage retention
Keeping personal data longer than necessary is a breach of the storage limitation principle under UK GDPR Article 5(1)(e). This falls under the higher tier of UK GDPR fines, which can reach £17.5 million or 4% of annual worldwide turnover, whichever is higher.
In practice, the ICO's enforcement approach for retention failures focuses on organisations that have no policy at all or that have systematically failed to delete data despite having a policy. The ICO is more likely to issue an enforcement notice and require remediation than to immediately impose a maximum fine for a first-time failure that is not accompanied by other breaches. However, a retention failure that contributes to a data breach, or that reveals data hoarding on a large scale, significantly increases enforcement risk.
Failing to include retention periods in your ROPA is also a separate compliance failure — a breach of Article 30 — and can result in fines of up to £8.7 million or 2% of annual worldwide turnover.
What to do next
- Start with a data audit: If you do not know what personal data you hold, begin by mapping it before trying to write a policy
- Use the ICO's retention guidance: The ICO publishes sector-specific guidance on retention periods for education, health, and other regulated sectors — check whether any applies to your business
- Update your ROPA at the same time: The retention schedule and ROPA should be produced together and kept in sync
- Build deletion into your systems: Manual deletion processes fail over time; automate where possible using your existing software tools
- Review annually: Set a fixed annual review date in your compliance calendar to check data against the schedule and update periods if your processing changes