Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
If you run a small business, you’re probably collecting personal data all the time - customer orders, supplier contacts, employee records, marketing leads, CCTV footage, website analytics, support tickets… the list adds up quickly.
Then the big compliance question hits: how long can you hold personal data for without breaching the UK GDPR?
The tricky part is that UK GDPR doesn’t give you one neat “keep it for X years” rule. Instead, it expects you to keep personal data only for as long as you genuinely need it, and to be able to explain why you’re keeping it.
Below, we’ll break down UK GDPR retention rules in plain English, show you common retention periods small businesses use, and set out a practical approach to building a data retention policy that actually works day-to-day.
What Does UK GDPR Say About How Long You Can Hold Data For?
UK GDPR (alongside the Data Protection Act 2018) doesn’t provide a fixed number of years you can keep personal data. Instead, it’s based on principles - and the key one for retention is the storage limitation principle.
In simple terms: you should not keep personal data for longer than is necessary for the purpose you collected it for.
So when people ask how long you can hold data for, the UK GDPR answer is essentially:
- Keep it only as long as you need it for a legitimate, specific purpose.
- Be able to justify and document that retention period.
- Delete it (or anonymise it) when it’s no longer needed.
The Practical Test: “Why Are We Still Keeping This?”
A good rule of thumb for business owners is this: if you can’t clearly answer why you’re still holding a particular set of personal data, it’s probably time to delete it.
UK GDPR expects you to think about retention by category of data and business purpose, for example:
- Customer purchase records (for accounting, warranties, dispute handling)
- Unsuccessful applicant CVs (for recruitment records and fairness auditing)
- Marketing lists (while consent is valid, or a “soft opt-in” applies, and people haven’t opted out - noting that marketing rules also sit under PECR as well as UK GDPR)
- CCTV footage (for security and incident investigation)
Retention Is Also An “Accountability” Issue
UK GDPR’s accountability principle means you need to not only do the right thing, but also be able to show you’re doing the right thing.
That’s why many small businesses put retention rules into:
- a written data retention policy
- your Privacy Policy
- contracts with suppliers who process data on your behalf (more on that below)
How Long Can Data Be Kept For Under UK GDPR (In Practical Business Terms)?
Even though there’s no single number, there are common “real-world” drivers that influence how long you can keep personal data. Most retention periods come from a mix of:
- Legal obligations (e.g. tax laws, employment laws, regulatory requirements)
- Limitation periods (how long someone has to bring a claim - often 6 years for contract claims in England & Wales, though this can vary)
- Operational needs (e.g. customer support history, repeat purchases)
- Risk management (e.g. defending disputes, handling chargebacks)
- Privacy expectations (what customers would reasonably expect you to do)
So if you’re asking how long you can hold data for, the better question is: how long do you need it for, and what’s your justification?
Example: Customer Order Data
Let’s say you run an ecommerce brand. You might keep customer order records for several years because:
- you need to comply with HMRC record-keeping requirements and expectations (which can depend on the record type and your circumstances - this isn’t tax advice)
- you may need to handle refunds, returns, chargebacks, warranty queries, or disputes
- you may need evidence if a customer brings a claim (or if you need to bring one)
But you might not need to keep the full data set forever. For example, after a certain point you may be able to delete contact details and retain only a limited set of transaction records, or anonymise the data so it’s no longer personal data.
Example: Marketing Leads
Marketing lists are a common area where businesses accidentally over-retain data. If someone hasn’t engaged in years, keeping their details “just in case” is risky.
A better approach is to set a clear review cycle (e.g. every 6–12 months) and remove contacts who:
- withdraw consent
- opt out / unsubscribe
- have been inactive for a set period (depending on your business and buying cycle)
Also keep in mind that marketing communications are regulated not only by UK GDPR, but also by the Privacy and Electronic Communications Regulations (PECR) - including the conditions for relying on a “soft opt-in”.
Common Retention Periods For Small Businesses (A Starting Point)
Every business is different, but the table below gives a useful starting point for thinking about retention. The key is to tailor it to what you do and what laws apply to you.
Important: these are general guidance examples - not a one-size-fits-all rule, and not legal or tax advice. When in doubt, get advice, especially for sensitive data (like health information) or high-risk processing.
| Data Type | Common Reason For Keeping It | Typical Retention Approach (Example) |
|---|---|---|
| Customer invoices and transaction records | Tax/accounting, dispute evidence | Often around 6 years (but the right period depends on your specific accounting/tax obligations and risk profile) |
| Customer support tickets / complaints | Service improvement, dispute handling | 2–6 years depending on risk and nature of services |
| Marketing lists | Ongoing marketing communications | Until opt-out/withdrawal, plus regular “inactive contact” clean-ups (and ensure your approach aligns with UK GDPR and PECR) |
| Website enquiry forms | Responding to enquiries, sales pipeline | Short retention if no customer relationship forms (e.g. 3–12 months) |
| Unsuccessful job applicant data | Recruitment audit trail, defending discrimination claims | Often 6–12 months (sometimes longer depending on hiring context) |
| Employee HR records | Employment law obligations, disputes, payroll | Varies by record type; often years after employment ends |
| CCTV footage | Security and incident investigation | Often 14–31 days unless required for an incident |
Employment Records: Don’t Guess
If you employ staff, you’ll hold a lot of data that can be sensitive or high-risk (right to work documents, sickness records, performance notes, disciplinaries).
This is one area where having a structured approach matters. For example, you may also need clear internal rules about device and internet usage, and those rules should align with your retention and monitoring practices. Many businesses set this out in an Acceptable Use Policy.
And when you’re working out retention for ex-employee records, it’s worth thinking about both:
- legal obligations to keep certain records, and
- the risk of keeping “too much” (especially if it includes health data or unsubstantiated allegations)
If you’re unsure, a tailored review is usually worthwhile - especially before you scale your team.
How Do You Set A Data Retention Policy That UK GDPR Actually Supports?
It’s easy to say “we’ll delete data when we don’t need it” - but in practice, you want a simple system your team can follow without constant legal input.
Here’s a practical step-by-step process many small businesses use.
1. List The Personal Data You Hold (And Where It Lives)
Start by mapping your personal data, including:
- website forms and ecommerce platform data
- CRM records
- email inboxes (yes, personal data can live in email threads)
- HR systems
- cloud storage folders
- CCTV / security systems
- accounting tools
This doesn’t need to be perfect on day one. The goal is to know what exists and who can access it.
2. Define The Purpose And Lawful Basis
For each category, identify:
- Purpose: why you collected it (e.g. fulfil orders, pay staff, respond to enquiries)
- Lawful basis: which UK GDPR basis you’re relying on (e.g. contract, legal obligation, legitimate interests, consent)
Retention becomes much easier once the purpose is clear - because you can then decide when that purpose ends.
3. Set A Retention Period (And A Review Trigger)
Your retention periods can be time-based (e.g. “6 years after the end of the financial year”) or event-based (e.g. “12 months after the last account activity”).
Also set a trigger for review, for example:
- end of customer relationship
- contract termination
- employment termination
- last login / last purchase
- closure of a support ticket
This is where you answer the question of how long you can hold data for in your business, based on your actual risks and obligations.
4. Build Deletion And Anonymisation Into Your Workflow
Retention compliance isn’t only about a policy document - it’s about what actually happens in your systems.
Common approaches include:
- automatic deletion rules (where your platform allows it)
- monthly/quarterly deletion tasks assigned to a role (not “someone”)
- anonymisation for long-term analytics (so you keep insights without keeping personal data)
- archiving with restricted access for data you genuinely need to retain
5. Make Sure Your Suppliers Follow Your Retention Rules
If you use third parties to store or process personal data (hosting providers, CRMs, payroll services, email marketing tools), UK GDPR expects you to have appropriate contractual protections in place.
In many cases, that means having a Data Processing Agreement that covers things like:
- what the supplier can do with the data
- security requirements
- assistance with data subject rights
- what happens to the data at the end of the service (return/deletion)
What If Someone Asks You To Delete Their Data (Or Makes A SAR)?
Retention and deletion aren’t only internal decisions - they often come up when customers, users, or employees exercise their data rights.
The Right To Erasure Isn’t Absolute
People can ask you to delete their data, but you don’t always have to delete it immediately if you still need it for a valid reason (for example, a legal obligation, or to establish/defend legal claims).
That’s another reason retention should be planned. If your retention position is clear, you can respond confidently and consistently rather than scrambling to work it out under pressure.
Subject Access Requests (SARs): Retention Can Help Or Hurt You
A Subject Access Request can force you to locate and provide copies of personal data you hold. If you keep data for longer than you need, you increase the volume you may need to search and disclose.
Having a structured process (and templates) can make this far less disruptive. Some businesses use an Access Request Form so requests are captured clearly and routed to the right person internally.
If SAR handling is a recurring issue for your business (for example, if you have a workforce, or you deal with disputes regularly), it’s worth making sure your systems and internal processes are up to scratch.
What Happens If You Keep Personal Data Too Long?
Over-retention is one of the most common compliance problems for small businesses because it’s usually accidental - old spreadsheets, stale CRM entries, ex-employee folders that no one wants to touch.
But keeping data longer than necessary can create real business risk.
1. Higher Risk In A Data Breach
The more personal data you keep, the more you potentially expose if something goes wrong. And if you suffer a breach, you may need to assess the impact, notify where appropriate, and show you had sensible controls in place.
Many businesses keep a documented incident plan so they can act quickly. A Data Breach Response Plan can help you respond in an organised way (and not make panicked decisions that create further risk).
2. Non-Compliance With UK GDPR Principles
If you can’t justify why you still have the data, you may be breaching the storage limitation principle - and potentially related principles too (like data minimisation and accuracy).
Even if you’re not doing anything “dodgy” with the data, keeping it indefinitely is rarely defensible.
3. Customer Trust And Commercial Reputation
Customers and clients increasingly expect businesses to handle data responsibly. If you keep personal data longer than you need, and that becomes visible (for example, through a SAR, a complaint, or a breach), the reputational fallout can be bigger than the legal issue.
4. Operational Drag
This is the hidden cost: messy data makes your business slower.
- More clutter in your CRM
- More time spent searching for the “right” record
- More work responding to SARs
- More risk that staff rely on outdated information
Good retention practices aren’t just a legal checkbox - they’re part of running a well-organised business.
Key Takeaways
- UK GDPR doesn’t set one fixed time limit, so the answer to how long you can hold data for depends on your purpose, legal obligations, and business risks.
- The storage limitation principle means you should only keep personal data for as long as necessary, and then delete or anonymise it.
- Common retention periods often reflect tax record-keeping needs and limitation periods for claims, but you should tailor them to your business (and get advice where needed).
- A practical data retention policy starts with mapping what data you hold, why you hold it, and where it lives, then setting timeframes and deletion triggers.
- If suppliers process data for you, you’ll usually need a Data Processing Agreement so retention and deletion obligations are properly covered.
- Keeping data “just in case” increases breach risk, compliance risk, and the admin burden when handling requests like SARs.
If you’d like help putting a practical UK GDPR retention approach in place - including your Privacy Policy, contracts, and internal processes - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
Alex SoloCo-Founder
