How Long Can Personal Data Be Kept Under UK GDPR?

If your business collects customer details, employee records or website analytics, you’re handling personal data - and you can’t keep it forever. Under UK GDPR, you can only store personal data for as long as you actually need it.

Getting this right matters. Clear retention periods reduce risk, cut storage costs and show regulators you take privacy seriously. In this guide, we’ll break down what the law says about how long personal data can be kept for, give you practical examples, and share a straightforward process to build a compliant data retention schedule for your business.

Let’s make sure you’re covered from day one.

What Does UK GDPR Say About How Long Personal Data Can Be Kept For?

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 set out the “storage limitation” principle. In short: you must not keep personal data for longer than is necessary for the purposes you collected it for.

Key points to remember:

• There are no universal “one-size-fits-all” timeframes in the law. Retention depends on your purposes, legal obligations and risks.
• You can keep data longer if you need it for legal claims, compliance or archiving in the public interest - but you must justify and document it.
• When data is no longer needed, you must delete it securely or anonymise it so individuals are no longer identifiable.
• You need to tell people how long you’ll keep their data (or the criteria you use to decide) in a clear, accessible Privacy Policy.

Regulators expect you to be able to explain and evidence your retention decisions. That’s why having a written retention schedule is so important.

How To Set Appropriate Data Retention Periods (Step-By-Step)

Here’s a simple, practical process you can follow to set and document how long personal data can be kept for in your business.

1) Map Your Data And Purposes

List the personal data you collect, where it sits and why you collect it. Typical categories include:

• Customers and prospects: names, contact details, purchase history, marketing preferences
• Employees and contractors: HR files, payroll, right to work, performance records
• Website/app users: account details, cookies/analytics, support tickets
• Suppliers: contact details, contracts, payment info
• Security: CCTV footage, access logs

Your data map should align with your record of processing activities (ROPA). If you work with third-party processors (e.g. payroll providers, CRM tools), make sure each relationship is covered by a robust Data Processing Agreement.

2) Identify Legal Bases And Obligations

Retention periods must reflect the legal reason you’re processing data and any laws that require you to keep records for a minimum period. For example, tax and accounting rules typically require keeping transaction records for several years.

3) Set A Default Period Plus Exceptions

For each category, set a default retention period based on your purpose, then add exceptions where needed (e.g. where limitation periods for legal claims apply, or where you must keep a record for statutory compliance). Use calendar triggers such as “X years from last transaction” or “X months after account closure.”

4) Choose The End-Of-Life Action

Decide what happens when the period ends - secure deletion, anonymisation or limited archiving. Build processes so this happens automatically where possible.

5) Document, Communicate And Enforce

Record your decisions in a Data Retention Policy and schedule. Ensure your staff can follow it in practice, and reflect the approach in your Privacy Policy. If you share data externally, align retention rules in your Data Sharing Agreement or contract terms.

6) Review Regularly

Plan an annual check - laws, business models and tools change. A quick audit can catch data you’re keeping “just in case,” which is a red flag under UK GDPR.

Typical Retention Periods For Common Business Records

Every business is different, but these examples show how you might approach setting periods. Always tailor them to your purposes and get advice where needed.

• Customer accounts and purchase history: retain for the customer relationship, then a set period after the last transaction (e.g. 6 years to align with contractual limitation periods). Consider anonymising order data for analytics beyond that window.
• Financial records (invoices, VAT records, payments): HMRC expects you to keep records for at least 6 years (sometimes longer if they concern assets or returns filed late). Align your accounting data to those rules.
• Contracts and key correspondence: often kept for the life of the contract plus 6 years (or 12 years for deeds) due to potential claims.
• Marketing lists: keep for as long as consent remains valid or the “soft opt-in” continues to apply under PECR, and delete or suppress when people unsubscribe or after a defined inactivity period (e.g. 24 months with no engagement). If you rely on the soft opt-in, ensure your practices match the rules for soft opt-in email marketing.
• Customer support tickets: keep for a defined period after resolution (e.g. 12–24 months) to handle follow-up issues, then delete or anonymise.
• Supplier records: retain during the relationship and for a period afterwards (e.g. 6 years) to manage disputes and audit requirements.
• Website analytics: set a short, business-justified period (e.g. 14–26 months) and configure your analytics tool to auto-delete older data where possible.

Employee data is a frequent pain point. There are multiple legal obligations at play, and retention often varies by document type. For a deeper dive on HR files, see our guide on how long you should keep ex-employee records.

Special Cases: Employees, CCTV, Cookies And Cloud Tools

Some data categories need extra care. Here are common examples for small businesses.

Employee And Recruitment Data

Employers must balance GDPR with employment law and HMRC rules. Typical approaches include:

• Payroll and tax: usually at least 6 years
• Right-to-work checks: for the duration of employment plus up to 2 years
• Recruitment records: around 6–12 months from decision, unless consent is obtained to keep a talent pool longer (and even then, set a clear period)
• Health and safety incident records: keep long enough to manage claims and comply with statutory duties; periods can be longer if risk of late-arising claims exists

Document each category in your schedule. If you’re unsure, it’s sensible to seek tailored advice.

CCTV And Access Logs

For security CCTV, many businesses keep footage for a short period (often 30 days) unless an incident requires a longer hold for investigation. The shorter the better, provided it’s still useful for your purpose. Make sure your retention aligns with your privacy notice signage and internal policy.

Cookies And Online Tracking

Retention for cookies and similar tracking tech should reflect what you’re actually doing with the data. If you’re using analytics, set the tool to auto-delete after a defined period and ensure your cookie banner allows users to reject non-essential cookies. If you’re refreshing your approach, our guide to cookie banners that comply sets out practical steps.

Cloud Storage And SaaS Tools

Cloud platforms make retention trickier because data can be duplicated across apps. Choose tools that support auto-deletion, suppression and export. If you’re using common cloud platforms, it’s worth checking how their settings affect retention and security - for instance, our overview of whether Google Drive is GDPR compliant explains key considerations for UK businesses.

What To Do At The End Of The Retention Period

Once the clock runs out, you have three main options. Pick the one that best fits your purpose and risk profile.

1) Secure Deletion

Where data is no longer needed, delete it securely. That may mean overwriting files, purging backups after a defined lag, or issuing deletion instructions to processors under your Data Processing Agreement. Keep a log of deletion actions for audit purposes.

2) Anonymisation

If you want to use historic data for trends or forecasting, anonymise it so individuals cannot be identified (even with additional information). True anonymised data is no longer “personal data” under UK GDPR. Pseudonymisation (e.g. replacing names with IDs) is helpful for security, but it’s still personal data if re-identification is possible - so retention rules still apply.

3) Limited Archiving

In some cases, you may need to keep limited records to comply with a law or defend possible legal claims. If so, restrict access, store separately and review regularly. The burden is on you to justify the ongoing need.

Whatever you choose, ensure your Privacy Policy explains, in plain English, the criteria you use to decide how long personal data can be kept for.

Handling Access And Deletion Requests Within Your Retention Rules

Your retention schedule should work hand-in-hand with individual rights. People can ask to access their data (a subject access request), rectify inaccuracies, or in some cases request deletion. You’ll need a process to respond quickly, lawfully and consistently.

• Access requests: UK GDPR sets strict timescales. Build a playbook so you can locate data across systems fast and meet subject access request deadlines.
• Deletion requests: If your retention period or legal obligation requires you to keep the data (e.g. for tax), you can refuse deletion for those items - but you should explain why and suppress processing for marketing where applicable.
• Exemptions: Certain requests can be limited or refused in specific situations. Be cautious and document your reasoning. Our guide to SAR exemptions outlines common scenarios.

It’s also a good idea to align your marketing systems so opt-outs immediately remove people from mailing lists. If you use processors for email or CRM, make sure your contracts and settings support rapid suppression and deletion.

Documenting And Proving Compliance (Without Drowning In Admin)

You don’t need a huge bureaucracy to be compliant - you need clarity, consistency and evidence. These are the essentials we recommend for most SMEs:

• Data Retention Policy and schedule: a short, practical document listing categories, timeframes, criteria and end-of-life actions.
• Privacy notices: a user-friendly Privacy Policy that clearly states how long you keep data or how you decide.
• Contracts with third parties: a strong Data Processing Agreement with processors, and a Data Sharing Agreement where you share data with other controllers.
• Governance and training: name a responsible owner, set calendar reviews and train staff to follow the schedule.
• Records of decisions: keep a log showing when you deleted, anonymised or refused a request and why.

If you’re building your privacy program or updating policies, packages like our GDPR Package can streamline the process so you’re not reinventing the wheel.

Common Pitfalls To Avoid

Even well-run businesses can stumble on retention. Watch out for these traps:

• “Just in case” hoarding: keeping everything forever increases breach risk and undermines GDPR compliance.
• Unmanaged backups: set a sensible backup retention period and implement purge routines, especially after deletions.
• Mismatched systems: your schedule says 24 months, but your CRM keeps records indefinitely. Configure tools to auto-expire data.
• Vague policies: “We keep data as long as necessary” without criteria isn’t enough. Provide concrete periods or decision factors.
• Ignoring cookie and marketing data: cookies and mailing lists are personal data too - align your banner, consent and retention settings. If you process a lot of data, check whether you’re liable for ICO fees or qualify for ICO fee exemptions.

If you need a reference point while setting periods, our primer on how long you should keep personal data breaks down the key principles and examples from a compliance perspective.

Key Takeaways

• Under UK GDPR’s storage limitation principle, you can only keep personal data for as long as it’s needed for your stated purposes - there are no universal timelines.
• Build a practical retention schedule: map your data, set default periods with justified exceptions, and choose end-of-life actions (deletion, anonymisation or limited archiving).
• Align your approach with legal obligations (e.g. HMRC record-keeping) and limitation periods for claims; document your reasoning and review annually.
• Make your retention approach easy to follow in practice: configure systems for auto-deletion, train staff and reflect periods in your Privacy Policy and contracts.
• Plan for rights requests: set up processes and tooling to meet SAR deadlines, handle deletion properly and apply any applicable exemptions carefully.
• Avoid common pitfalls like “just in case” hoarding, unmanaged backups and vague policies. Clear, tailored timeframes are your best defence.

If you’d like help setting defensible retention periods, drafting a retention policy, or updating your privacy documentation, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.