How Long Should You Retain Personal Information Under UK GDPR?

If you run a small business, you probably collect more personal data than you realise - customer emails, staff HR files, CCTV footage, supplier contact details, marketing lists, and even support tickets.

At some point, you’ll hit the tricky question many business owners Google: how long should you retain personal information?

UK GDPR doesn’t give a single “keep it for X years” answer. Instead, it expects you to make a sensible, documented decision based on why you collected the information, what you still need it for, and what legal obligations apply.

Below, we’ll break down the practical rules, typical retention considerations, and an easy framework you can apply across your business - without drowning in legal jargon.

What Does UK GDPR Actually Say About Data Retention?

In the UK, data protection is governed primarily by:

• the UK GDPR (the UK version of the EU GDPR), and
• the Data Protection Act 2018.

UK GDPR doesn’t set fixed retention timeframes for most categories of personal information. Instead, it sets a principle you must follow: storage limitation.

That principle means you should:

• keep personal data only for as long as you need it for the purpose you collected it, and
• not keep it “just in case” if there’s no clear, justifiable reason.

Importantly, “as long as you need it” is not just a gut feel. UK GDPR expects you to be able to explain (and ideally document) your retention decisions.

Why Retention Matters (Beyond “Because GDPR”)

Holding onto data for too long can create real business risk, including:

• higher breach exposure (more data = more damage if there’s a security incident)
• more work responding to subject access requests (because you’ve kept years of unnecessary records)
• compliance issues if the ICO investigates and you can’t justify your retention practices
• customer trust problems if people feel you’re holding their data indefinitely

On the flip side, deleting data too early can also hurt you - for example, if you need records to defend a legal claim or meet recordkeeping requirements.

So, How Long Should You Retain Personal Information?

The most accurate answer is: how long personal information should be retained depends on the purpose, legal obligations, and your risk profile.

To make this practical, here are the main “buckets” most UK small businesses fall into.

1) Data You Need To Perform Or Manage A Contract

If you’ve collected personal data to provide your services or deliver products (for example, customer contact details for deliveries or account management), you’ll typically keep it:

• for as long as the contract is active, and then
• for an additional period to deal with refunds, disputes, chargebacks, complaints, and legal claims.

Many businesses choose to retain core contract/order records for a period that reflects their legal and commercial risk. In practice, this is often up to 6 years after the relationship ends in England and Wales (for example, to align with common limitation periods for contract claims) - but the right timeframe depends on your circumstances, what the records are, and which UK jurisdiction applies.

If you sell online, this should also align with what you tell customers in your Privacy Policy - you don’t want your legal documents saying one thing while your systems do another.

2) Data You Must Keep Because Of A Legal Obligation

Some records aren’t optional. You may need to retain certain data because other laws require it (even if the customer or employee would prefer you didn’t).

Common examples include:

• tax and accounting records (often several years, depending on the record type and your situation - check current HMRC guidance or get tax advice)
• employment and payroll records
• health and safety records (where relevant)

The key GDPR point is that you should keep what you need to comply - but still avoid keeping more than necessary. For instance, you might need to keep payroll totals and statutory records, but not every informal email thread about an employee’s rota forever.

3) Marketing Lists (Enquiries, Leads, Mailing Lists)

Marketing databases are a retention trap because they grow quietly over time.

A sensible approach is to use a rolling retention period, such as keeping marketing contacts until:

• they unsubscribe or object, or
• they have been inactive for a defined period (for example, around 12–24 months) and you have no other lawful reason to keep their details.

The right “inactive” window will depend on your business model, sales cycle, and what you’ve told people in your privacy information.

If you use cookies or similar tracking tools on your website, your retention and deletion practices should line up with what you disclose in your Cookie Policy.

4) HR Records And Employee Data

Employee data is often more sensitive and higher risk - and it tends to sit across multiple systems (HR software, email, shared drives, payroll, performance docs).

As a general guide, you may need different retention periods for different categories of HR information, such as:

• recruitment records (for unsuccessful applicants)
• right to work checks
• contracts and key terms
• disciplinary and performance records
• sickness and medical-related records (handle carefully as “special category data”)

Your HR documents should work together - for example, your Employment Contract and Staff Handbook should support (not undermine) the rules you’re applying in practice.

5) CCTV, Audio Recordings, And Security Logs

If you operate CCTV or store access logs, retention should be short and purpose-led. Many businesses set a standard retention window (often measured in days or weeks), and then retain footage longer only if it’s required for a specific incident. What’s appropriate will depend on your premises, incident patterns, and the purpose you’ve identified.

Ask yourself:

• Why are we recording (security, safety, theft prevention)?
• How often do we actually need older footage?
• Who can access it, and how is it protected?

Even if your intentions are good, indefinite retention is hard to justify under UK GDPR.

How To Set A GDPR-Compliant Retention Period (A Simple Framework)

If you want a clear process you can apply across your business, use this step-by-step framework. It’s also helpful if you ever need to show your working to the ICO.

Step 1: Identify The Purpose (And Don’t Be Vague)

Write down the reason you collected the data in the first place. Be specific.

• “To manage customer accounts” is better than “admin”.
• “To deliver goods and handle returns” is better than “sales”.

If the purpose has ended, that’s usually your cue to delete, anonymise, or archive (with strict access controls) - unless another purpose applies.

Step 2: Confirm Your Lawful Basis (And Check If It Still Applies)

Under UK GDPR, you generally need a lawful basis to collect and use personal data (for example, contract, legal obligation, legitimate interests, consent).

Retention should link back to that lawful basis. For example:

• If your basis is contract, once the contract is completed, you’ll usually only retain for post-contract administration and claims management.
• If your basis is legal obligation, retain for as long as that law requires (no longer).
• If your basis is consent for marketing, if consent is withdrawn, you should stop using the data for that purpose - and often delete it unless another lawful basis applies.

If you’re working with suppliers or software providers who handle data for you (like email marketing platforms, CRMs, payroll providers), make sure your Data Processing Agreement addresses retention, deletion, and return of personal data at the end of the service.

Step 3: Consider Relevant Laws, Claims, And Industry Requirements

This is where the “how long should you retain personal information?” question becomes a risk-based decision.

Think about:

• Limitation periods (how long someone could bring a claim)
• Regulatory requirements in your sector (for example, certain finance/health related recordkeeping rules)
• Insurance requirements (some policies expect you to keep records)
• Warranty periods and product liability risk

If you’re not sure what applies, it’s worth getting tailored advice - retention is one of those areas where a “standard template” approach can create gaps.

Step 4: Set A Retention Schedule (And Make It Realistic)

A retention schedule is simply a document that says:

• what category of data you hold
• where it’s stored
• why you hold it
• how long you keep it
• how you delete or anonymise it

Don’t overcomplicate it. A simple spreadsheet is a great start for most small businesses.

The most important thing is that your schedule matches what your team actually does day-to-day.

Step 5: Build Deletion Into Your Processes (So It’s Not Forgotten)

Retention fails when businesses rely on memory. You’ll get better compliance by building deletion into your systems, for example:

• calendar reminders to review folders quarterly
• auto-deletion settings in software platforms (where available)
• archiving rules to restrict access after a project ends
• offboarding checklists to close accounts and manage mailbox retention

Also make sure staff understand what they can’t do - like downloading customer lists onto personal devices “for convenience”. A clear Acceptable Use Policy can help set those boundaries.

What Counts As “Deleting” Personal Data (And What About Backups)?

Deletion isn’t always as simple as pressing a button.

From a UK GDPR perspective, you should think about:

Deleting vs Anonymising

• Deleting means the personal data is removed and can’t be reconstructed.
• Anonymising means data is changed so individuals can’t be identified anymore (this can be useful for analytics).

Be careful with “we removed the name” approaches. If you still hold order numbers, addresses, device IDs, or other identifiers, it may still be personal data.

Backups And Archived Systems

Backups are a common sticking point. You might not be able to delete a single customer record from a historical backup file without compromising the integrity of the backup.

That doesn’t automatically mean you’re non-compliant, but you should:

• keep backups secure and access-restricted
• set a reasonable backup retention period
• make sure backup data isn’t routinely “put back into live use”
• document your approach in case you’re asked

If something goes wrong and personal data is exposed, having a plan helps you act quickly and reduce risk. A Data Breach Response Plan is a practical way to set responsibilities and timelines before there’s pressure.

Common Retention Mistakes Small Businesses Make (And How To Avoid Them)

Retention is one of those compliance areas where businesses rarely get it 100% right from day one - but you can avoid the biggest traps with a bit of structure.

Keeping Everything “Just In Case”

This is the most common issue. If you can’t articulate a reason for keeping data, you’re taking on risk without benefit.

A better approach is: keep what you need for clear purposes (tax, contract, disputes), then delete or anonymise the rest.

Having A Policy But Not Following It

It’s great to have a privacy policy and internal retention schedule, but it needs to match reality.

If your systems keep customer accounts indefinitely, but your policy says you delete after 2 years, that gap can create compliance problems.

Not Separating “Operational” Data From “Marketing” Data

Customer data you need to fulfil orders is different from marketing data. You might need to retain order invoices for years, but that doesn’t mean you should keep sending marketing emails forever.

Segment your databases and set different retention logic for each category.

Forgetting About Old Tools And Shared Drives

Even if you delete from your CRM, the same personal data might still exist in:

• old Mailchimp exports (or other email tools)
• spreadsheets in Google Drive / OneDrive
• staff inboxes
• closed social media DMs
• support platforms

A practical fix is to do a simple “where is our data?” mapping exercise once or twice a year.

Key Takeaways

• Under UK GDPR, how long you should retain personal information depends on the purpose you collected it for, and you should not keep it longer than necessary.
• The key GDPR principle is storage limitation - keep data only as long as you need it, then delete or anonymise it.
• Common retention drivers include contracts, legal obligations (like tax and employment recordkeeping), and limitation periods for claims.
• A simple retention schedule (even a spreadsheet) helps you stay consistent and prove your reasoning if you’re challenged.
• Retention has to work in real life - build deletion into your processes, systems, and staff training so it doesn’t get forgotten.
• Make sure your external documents (like your Privacy Policy and Cookie Policy) align with what your business actually does.

If you’d like help setting up practical data retention rules, updating your Privacy Policy, or making sure your contracts and internal policies support GDPR compliance, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.