How Long Should Personal Data Be Kept Under UK GDPR?

If you collect customer details, run payroll, use email marketing or even record CCTV, you’re handling “personal data”. A common question we get from small businesses is simple: how long should you keep it?

Under UK GDPR and the Data Protection Act 2018, you can’t keep personal data forever “just in case”. You need a clear, justifiable retention period that fits your legal obligations and your business needs - and you must be ready to delete or anonymise data when that period ends.

In this guide, we’ll break down how to set sensible retention periods, what typical timelines look like for common data types, and how to document and enforce your approach so you stay compliant without slowing down your business.

What Does UK GDPR Say About Data Retention?

The key rule is the Storage Limitation principle in UK GDPR Article 5(1)(e): personal data must be kept in a form that permits identification of individuals for no longer than is necessary for the purposes you collected it. In plain English - decide why you’re collecting data, keep it only as long as you need it for that purpose (or to meet a legal requirement), and then delete or anonymise it.

That principle sits alongside the Accountability requirement - you should be able to show your working. This usually means having a written data retention policy that covers categories of data, the purpose for holding each category, the retention period, and what happens at the end of that period.

Other laws also influence retention. For example, some tax and employment records must be kept for specific minimum periods under HMRC rules or other regulations. The trick is to set a period that is long enough to meet your legal obligations, but not longer than you reasonably need.

Practically, good retention policies help you reduce risk and cost. Less data means less to secure, search, produce in response to subject access requests, and clean up if there’s a breach.

How Long Should Personal Data Be Kept For? Practical Rules By Category

There’s no single number that works for every business and every data type. Instead, apply a purpose-led test and document your reasoning. Below are common categories with typical approaches many UK businesses use, along with factors you should weigh up. Always adjust for your sector rules and any contracts you’re bound by.

Customer Records (Accounts, Orders, Support)

• Typical approach: Keep for the duration of the customer relationship, then a further 6 years to cover limitation periods for contract claims (many claims must be brought within 6 years).
• Why: You may need records to handle refunds, warranty queries, complaints and legal claims. The Consumer Rights Act 2015 and your own terms may drive what you need to retain.
• Tip: Consider anonymising older order histories for analytics so you retain business insights without keeping identifiable data.

Marketing Lists (Email/SMS)

• Typical approach: Keep while consent is valid (or while the “soft opt-in” applies) and remove details when someone unsubscribes or if you haven’t engaged a contact for a defined period (for example, 12–24 months of inactivity, depending on your campaign cycle).
• Why: You need to respect consent and unsubscribe requests under privacy and e-marketing rules.
• Tip: Keep a minimal “suppression list” of opted-out emails indefinitely to make sure you don’t accidentally re-add them to active mailing lists.

If you use cookies for marketing or analytics, make sure your Cookie Policy and consent mechanisms reflect the retention settings for those cookies and similar technologies.

Employee And HR Records

• Typical approach: Retention varies by document type. For example, payroll and wage records are often kept several years to meet HMRC requirements, accident reports are commonly kept at least 3 years, and general personnel files are frequently kept up to 6 years after employment ends (to cover limitation periods).
• Why: Multiple laws apply. Factor in HMRC, health and safety, equality, and limitation periods for employment claims.
• Tip: Build a schedule by record type. This is one area where it’s easy to keep “everything forever”, which creates unnecessary risk. For more detail, see guidance on how long to keep ex-employee records.

Financial And Tax Records

• Typical approach: Many businesses keep key financial records such as invoices, VAT documentation and ledgers for at least 6 years to meet HMRC record-keeping requirements.
• Why: Legal obligation for tax compliance. Where those records include personal data (e.g. sole traders’ details), your legal duty can justify a longer retention period than you might otherwise apply.
• Tip: Separate and securely archive records you’re required to keep for HMRC purposes from other personal data you can safely delete earlier.

CCTV Footage

• Typical approach: Short retention periods are common - for example 14–30 days - unless footage is required for a specific incident, in which case keep it for as long as needed for that investigation or legal claim.
• Why: You rarely need to hold all footage for long periods and doing so materially increases risk.

Website, Apps And Support Tools

• Typical approach: Keep account data while the account is active, then delete or anonymise after a defined inactivity period.
• Why: Storage limitation still applies to cloud tools. Check default retention settings in your platforms - configure them to match your policy, especially for logs, analytics and backups.
• Tip: If you rely on third-party processors, record their retention settings in your Data Processing Agreement so your supply chain aligns with your policy.

How To Set And Document Retention Periods (Without Guesswork)

Start with a simple, workable approach - you don’t need a 50-page policy on day one. The key is consistency, reasoning, and the ability to show you’ve thought it through.

1) Map Your Data

• List the categories of personal data you collect (customers, staff, prospects, suppliers, CCTV, website analytics, support tickets, etc.).
• Note the purpose for each category and where it’s stored (systems, vendors, physical files).

2) Identify Legal Drivers

• Check any explicit retention obligations (HMRC, sector regulators, health and safety, financial services, care standards, etc.).
• Consider claim limitation periods - many contract claims have a 6-year period in England and Wales.

3) Set A Period You Can Justify

• Pick a period that is long enough for your purpose and legal obligations, but no longer.
• When in doubt, keep the identifiable data for the minimum necessary period, then anonymise the rest if you need analytics.

4) Write A Clear Policy

• Document each category, purpose, retention period, and disposal method. Your policy sits alongside your Privacy Policy, internal procedures and records of processing.
• Include who is responsible for reviews and how often you’ll revisit the schedule (for example, annually or when laws change).

5) Automate Where Possible

• Configure your CRM, HRIS, marketing platform and cloud storage to flag or purge data automatically when it reaches its retention date.
• Align cookie and analytics settings with your policy and your consent banner. If you’re unsure, revisit your approach to cookie banners that comply.

6) Train Your Team And Keep Records

• Train staff on when to archive, delete or anonymise data and how to respond to deletion requests.
• Keep basic logs of disposal actions for accountability.

If you want a structured, lawyer-drafted framework to work from, consider a practical package that covers core privacy documents and processes, such as a GDPR Package or a broader Data Protection Pack.

When Should You Delete Or Anonymise Data?

Deletion is the default at the end of your retention period unless you have a clear, lawful reason to keep the data longer (for example, an ongoing dispute or a legal hold). You can also anonymise data so it’s no longer “personal data” - but it must be irreversible in practice. Pseudonymisation alone (e.g. hashing identifiers while keeping a key) still counts as personal data under GDPR.

Don’t forget that individuals can ask you to delete their personal data in some circumstances. You’ll need a process to assess requests and respond within the UK GDPR timeframe. These rules interact closely with retention: if you don’t have a good reason to continue holding information, you should remove it. For timing and process help, check your approach to SAR deadlines and review when GDPR allows data deletion.

Finally, make sure deletion includes all locations - live systems, archives, backups, and any third-party processors. Your contracts with vendors should require them to delete or return data on your instruction.

Working With Suppliers: Contracts And Shared Data

If you use SaaS tools, marketing platforms, payroll providers or IT support, you’re likely sharing personal data with “processors”. UK GDPR requires you to have a written contract with specific clauses in place. This is usually done via a Data Processing Agreement or a data protection schedule attached to your main services contract.

Your contract should cover retention and deletion. For example, the processor should only keep personal data for as long as needed to provide the services and must delete it on termination or on your instruction. It’s also sensible to ask about their backup retention cycles and how deletion works in practice so your policy and their systems line up.

Where you share personal data with another controller (for instance, a joint marketing initiative with a partner brand), use a Data Sharing Agreement that sets out purpose, roles, retention, security and rights handling between you.

Common Mistakes And FAQs For Small Businesses

“Can We Keep Everything Indefinitely If It’s Useful?”

No - “useful” isn’t enough. You need a lawful basis and a defined purpose. Keeping data indefinitely increases your compliance burden and breach exposure. Anonymise what you want to analyse long term.

“What If We Don’t Know The Right Period?”

Start with a conservative, reasoned period you can justify. Document the rationale and revisit it at regular intervals. As your operations or laws change, update the schedule.

“Do Backups Count?”

Yes. Backups contain personal data and should be included in your policy. Many businesses adopt a short rolling backup window and ensure restored data is purged promptly if it exceeds retention limits.

“We Use A Well-Known Cloud Tool - Are We Covered?”

Compliance isn’t automatic. You still need appropriate legal documents, a lawful basis, and configured settings. If you’re unsure about your stack, it can help to review whether your tools are being used in a way that is compliant with UK GDPR, similar to the issues raised in discussions about whether popular cloud platforms are GDPR compliant.

“Do We Need To Register With The ICO?”

Most businesses need to pay a data protection fee to the ICO unless exempt. It’s simple and low-cost, but skipping it can lead to fines. Read up on ICO fee exemptions to check your position.

“How Do Retention Rules Interact With Cookies And Marketing?”

Make sure your marketing permissions, suppression lists and cookie settings match your policy and your disclosures. Your consent wording and Cookie Policy should explain how long tracking technologies persist and how users can manage them.

Key Takeaways

• UK GDPR’s storage limitation principle means you should keep personal data only for as long as necessary for your defined purpose or legal obligations - not indefinitely.
• Set retention periods by category: customers, marketing, HR, finance, CCTV and system logs will almost certainly differ. Document your reasoning in a clear schedule.
• Build and maintain a practical data retention policy alongside your Privacy Policy, and align your systems and vendors to enforce it automatically.
• Delete or anonymise data when the retention period ends, and ensure processors do the same. Contracts like a Data Processing Agreement or Data Sharing Agreement should include retention and deletion terms.
• Be ready for requests - robust retention practices reduce the effort to respond to SARs and erasure requests. Revisit your processes around SAR deadlines and when GDPR allows data deletion.
• Don’t forget special cases and minimum periods (e.g. HMRC or employment records). Use structured schedules, like those applied to ex-employee records, to stay consistent.

If you’d like help setting defensible retention periods, drafting a policy, or aligning your vendor contracts, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.