Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Counts as “Out of Date” Personal Data?
- Why Does Data Accuracy and Age Matter?
- How Often Should You Review Personal Data for Accuracy?
- Key Principles Under the UK GDPR and the Data Protection Act 2018
- When Does Personal Data Become “Out of Date”?
- How Long Should You Keep Personal Data?
- What Steps Should UK SMEs Take To Keep Data Up To Date?
- Are There Any Exceptions or Special Cases?
- What Happens If You Keep Out-Of-Date Data?
- What About Subject Access Requests and Data Correction?
- Best Practices for Keeping Your Personal Data Up to Date
- Key Takeaways
If you store any information about your customers, staff, or suppliers-names, addresses, contact details, and beyond-you’re holding “personal data” under UK law. Maybe you’ve wondered: at what point does this data become “out of date”? Knowing when personal data is no longer current isn’t just about good record keeping. It’s a legal requirement, with serious consequences if you get it wrong.
Many small business owners hear about data protection laws like the UK GDPR and the Data Protection Act 2018, but it can be confusing to know exactly how long you should hang onto personal information and when it’s considered too old to be useful-or compliant. If you’re not sure, you’re not alone. The good news? Understanding how old personal data has to be before it’s considered “out of date” is surprisingly manageable once you break it down.
In this guide, we’ll walk you through what it means for data to be “out of date” under UK law, why it matters, and practical steps you can take to stay compliant. We’ll also answer some of the top questions UK businesses have and point you toward resources for keeping your data practices on the right side of the law.
What Counts as “Out of Date” Personal Data?
First, let’s clear up a common misconception: UK law doesn’t give a hard-and-fast rule about exactly how old personal data has to be before it’s out of date. Instead, the focus is on accuracy and relevance. Under the UK General Data Protection Regulation (UK GDPR), one of the key principles is that personal data must be:
- “Accurate and, where necessary, kept up to date”
- “Erased or rectified without delay” if found to be inaccurate
So, “out of date” means data that’s inaccurate (for instance, an old address for someone who’s moved), or information you no longer need for the purpose you collected it. There’s no automatic expiry date set in months or years. Instead, you need to actively review and update the personal information you hold, ensuring it remains accurate and necessary for your business.
Why Does Data Accuracy and Age Matter?
Keeping personal data accurate and up-to-date isn’t just common sense-it’s a legal obligation. If you send correspondence to the wrong address, act on old employment records, or make decisions using outdated info, you could easily land in hot water. Potential risks include:
- Complaints from customers, staff, or regulators
- Reputational damage
- ICO investigations and possible fines
- Lost trust from your clients or workforce
The Information Commissioner’s Office (ICO) regularly cracks down on businesses that let personal data become inaccurate, irrelevant, or excessive by holding onto it for too long. Building a robust data protection culture, and having a clear data protection policy, goes a long way to keeping your business safe.
How Often Should You Review Personal Data for Accuracy?
Because there’s no specific time limit under UK GDPR for when data becomes “out of date,” businesses need to rely on a risk-based approach. In practice, the ICO expects you to review and update personal data “at regular intervals.” The exact frequency will depend on:
- Type of data - Is it likely to change often (like employment details), or stay the same (like a National Insurance number)?
- Purpose of processing - How important is up-to-date information for what you’re doing with it?
- Risk to individuals - Will outdated data cause harm or disadvantage if used?
Some businesses set review periods in their data retention policy-for example, checking customer addresses once a year, or updating employee records at the end of each contract or annual review. For highly sensitive data or critical records, reviews might be much more frequent.
Key Principles Under the UK GDPR and the Data Protection Act 2018
The UK GDPR and Data Protection Act 2018 set out several main principles that all business owners should follow when handling personal data. For this topic, the crucial principles are:
- Accuracy: You must take “every reasonable step” to ensure that personal data is accurate and, where necessary, kept up to date.
- Storage limitation: You should only keep data for as long as you need it for the purpose it was collected for.
- Right to rectification: If someone contacts you to say their data is wrong or out of date, you need to correct it “without undue delay.”
In short, you’re expected to have proactive processes to keep data current, and to respond quickly to any corrections.
When Does Personal Data Become “Out of Date”?
Let’s make this practical. Personal data is likely to be considered “out of date” when:
- The information is no longer accurate (e.g. a client moves house and you’re still using their old address).
- The individual’s circumstances change (such as an ex-employee whose records are kept for decades after they leave, when there’s no lawful reason).
- The purpose for holding the data no longer exists (you keep customer details years after all business has finished, with no legal requirement to retain).
- Your data retention policy is breached (your own policy might set a specific review or deletion period, and if you exceed that, the data is “out of date” in your context).
Essentially, as soon as the data is no longer relevant, correct, or needed, it should be updated or securely deleted. There is no set number of days-what matters is whether using that data could mislead, harm, or result in unfair outcomes for the individual involved.
How Long Should You Keep Personal Data?
Again, there’s no blanket answer-but the key is “for as long as is necessary” for the original purpose, plus any period required by another law. For example:
- HMRC may require payroll and accounting records to be kept for 6 years
- Certain health and safety records may have statutory retention periods
- Most other data should be deleted or anonymised once there’s no reasonable justification to keep it
For sensitive data, the trend is towards the shortest possible retention. For general contact info or newsletters, it's good practice to review and cleanse data at least annually.
You can read more about drafting a compliant data retention policy here.
What Steps Should UK SMEs Take To Keep Data Up To Date?
Don’t worry-keeping data accurate (and not letting it get too old) isn't rocket science. Here are some practical steps you can take:
- Have a written data retention policy: Set review and deletion periods, and stick to them.
- Regularly review your records: Build in periodic checks (monthly, quarterly, annually) depending on the type of data.
- Promptly update data: Train your team to update or correct personal info as soon as they’re notified of any change.
- Delete what you no longer need: Don’t keep personal data “just in case” you need it in future-delete or anonymise it when its purpose is finished.
- Make it easy for people to update their info: Use online portals, email reminders, or annual re-verification to gather updated details.
- Keep a record of deletions and updates: This helps show you comply with the “data minimisation” and “storage limitation” principles.
For more detail on compliance steps, check out our full guide to building a privacy culture under UK GDPR.
Are There Any Exceptions or Special Cases?
There are some situations where you may need to keep data longer, or where the rules are stricter:
- Statutory requirements: Some laws set minimum retention periods, such as tax or health and safety records.
- Legal disputes or claims: You might have a lawful basis to hold onto records longer if there is a risk of future legal action.
- Anonymised data: If you anonymise data so it can no longer identify an individual, you can keep it indefinitely.
Always check what applies to your industry-chat with a GDPR specialist to be sure.
What Happens If You Keep Out-Of-Date Data?
Ignoring data age and not updating records is risky. The risks include:
- ICO enforcement action - The regulator can order you to delete or update data, or even fine you if the data breach is serious.
- Legal claims by individuals - If someone suffers loss because you used old or inaccurate data, you can be sued.
- Reputational damage and loss of trust - Customers, clients and workers expect you to handle their data properly.
Examples of enforcement include hefty fines for companies that failed to rectify outdated records after being informed of changes, or continued to email people who had unsubscribed. Staying on top of your data accuracy and deletion schedule is much simpler (and cheaper) than dealing with a complaint.
For more information on completing a data deletion in line with GDPR requirements, read our in-depth article on data deletion requests.
What About Subject Access Requests and Data Correction?
Under UK GDPR, anyone can ask you to rectify inaccurate or out-of-date data. This is known as a subject access request (SAR). If you get one, you need to:
- Respond without undue delay (and definitely within one month)
- Update or delete any information that is inaccurate or no longer needed
- Provide confirmation of any data corrections or removals you make
Having efficient processes in place makes handling SARs and corrections straightforward and helps prove you’re taking your data obligations seriously. If you need advice, our guide to subject access requests has you covered.
Best Practices for Keeping Your Personal Data Up to Date
- Set regular review schedules according to data type and risk-make this part of your team’s routine.
- Document all updates, deletions, and rectifications so you can evidence compliance if questioned.
- Empower people to check and amend their own details where possible (online dashboards, links in customer portals, etc).
- Ensure all new team members are trained in your data retention and update policy.
- Review and update your Privacy Policy regularly to reflect your practices.
If you’re ever unsure about how to apply these rules in your specific business context, a chat with a data privacy lawyer is a wise move.
Key Takeaways
- There is no exact “age” when personal data becomes out of date under UK law-what matters is whether it’s still accurate, relevant, and necessary for your purposes.
- You must regularly review and update personal data, and securely delete it if it’s no longer needed.
- Failing to keep data up to date can lead to complaints, ICO enforcement, reputational harm, and even fines.
- Create a written data retention policy, review your records frequently, and train your staff to update and delete information as needed.
- If you receive a subject access or rectification request, respond quickly and update your records accordingly.
If you want help putting together a robust privacy policy, creating a data retention schedule, or need practical guidance on UK GDPR compliance, Sprintlaw is here to help. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
