How To Create A Data Retention Policy That Complies With UK Law

When you’re growing a UK business, you’ll quickly realise how much data you can accumulate-about your customers, your employees, your suppliers, and even the intricacies of your day-to-day operations. But holding onto data indefinitely isn’t just bad practice-it can actually land you in legal trouble.

If you’re not sure how long to keep personal data, whether you can delete it, or what the risks are of “just keeping everything,” you’re not alone. Every UK organisation that handles personal data is required by law to have clear, compliant rules around data retention.

Building a solid data retention policy doesn’t need to be daunting. In this guide, we’ll break down what the law requires, why a policy matters, and the practical steps to put a strong, legally compliant policy in place to protect both your business and your customers.

Ready to avoid regulatory headaches and build trust into your data practices from the start? Keep reading for a clear, actionable approach.

What Is Data Retention-And Why Does It Matter?

In a nutshell, data retention is about how long your business keeps different types of information, and what you do with it when you no longer need it.

This covers everything from:

• Customer contact details
• Employee records
• Sales, contracts, and transaction histories
• Email logs, marketing communications, and much more

It matters because holding onto data for too long-or not long enough-can breach UK laws, put people’s privacy at risk, and expose your business to regulatory penalties or even legal action.

Having a clear, written data retention policy helps your business:

• Meet your legal duties under the UK GDPR and Data Protection Act 2018
• Minimise risks of data breaches and avoid unnecessary storage costs
• Earn customer trust by showing you take privacy seriously
• Stay organised and make smarter data management decisions

Without a structured approach, you could be storing data that should’ve been erased years ago-opening your business to unnecessary risk.

What Are the Key UK Laws Governing Data Retention?

The two core laws every UK business must follow are:

• UK General Data Protection Regulation (UK GDPR): This sets out the main rules for how businesses process, store, and delete personal data.
• Data Protection Act 2018: This UK law supplements the GDPR and gives the Information Commissioner’s Office (ICO) power to enforce the rules.

Under these laws, you must:

• Collect no more personal data than you need
• Keep it accurate and up to date
• Only keep it as long as necessary for the reason you collected it
• Delete or anonymise it when you no longer need it

This set of requirements is known as the “storage limitation” principle. You need clear data retention rules that show how (and why) your business holds onto personal information. If you can’t justify why something is still in your records, you’re expected to delete or anonymise it.

Failing to stick to these rules can result in substantial ICO fines, legal claims from data subjects, and lasting reputation damage-especially if you experience a data breach.

What Should a Data Retention Policy Include?

Your data retention policy doesn’t have to be a legal tome, but it should clearly set out the who, what, where, why and for how long for each type of data your business processes. To be compliant, your policy should cover at least:

• What personal information you collect (e.g. customer names, payment details, staff HR files)
• Why you collect each type of data (your legal/business purpose-e.g. payroll, order fulfilment, marketing)
• How long you keep each type of data (known as retention periods-these can vary by data type)
• What happens when the retention period ends (e.g. secure deletion, anonymisation, or archiving methods)
• Who is responsible for managing retention and destruction in your business
• How you review and update your policy (including any triggers for a policy review-such as new regulations or changes to your business)\

It’s important to tailor your policy for the actual data and processes you use. Avoid generic copy-paste templates-these rarely provide the coverage or protection your business needs, and may not be sufficient if the ICO comes calling.

How Long Should You Keep Different Types of Data?

The golden rule: Only for as long as you have a legal or business need. There’s no single “magic number” for all types of data, but there are typical retention periods based on law and best practice:

• Employee records: Retain for six years after employment ends (to cover tribunal/claims periods)
• Payroll information: Retain for at least three years after the end of the tax year (per HMRC requirements)
• Customer contracts: Usually six years after contract end (to cover breach of contract claims)
• Marketing lists: As long as the individual remains subscribed and interested, and you have a lawful basis
• CCTV footage: Typically 30 days unless you have a strong reason to keep it longer (e.g. for an active investigation)
• Financial, VAT, and company accounts: Six years from the end of the last company financial year

Some rules are set by law (such as HMRC or Companies House requirements), while others may depend on your business sector or industry standards.

For a deeper dive, see our guide on GDPR data retention period guidance for small businesses.

How Do I Start Creating a Data Retention Policy?

Building a policy from scratch can seem overwhelming, but if you break it down into steps, the process becomes much simpler. Here’s how:

1. Audit the Data You Have

Start with a data inventory. Map what personal data you hold and where it is stored-for example, payroll data in HR systems, customer lists in marketing platforms, physical files in storage.

2. Identify Your Legal and Business Reasons

For each type of data, write down your purpose and legal justification for holding it. This could be to fulfil a contract, meet legal obligations, or (if you have explicit consent) to send marketing emails.

3. Set Appropriate Retention Periods

Look up statutory minimums (for example, employment and tax records often have minimum retention periods under UK law). Set clear maximum retention periods for anything else-remember, “forever” is not compliant unless you can legally justify it!

4. Arrange Secure Disposal or Anonymisation

Decide how you’ll securely erase, destroy, or (where needed) anonymise data once the retention period ends. This can mean shredding paper files, securely deleting digital records, or removing identifiers from datasets.

5. Document Your Approach

Put all of this in writing, including who is responsible for carrying out these steps. Ideally, incorporate this into your wider data protection policy and staff handbook if you have one.

6. Provide Staff Training

Make sure staff understand their roles in keeping data only as long as necessary, keeping it secure, and reporting issues. If you’re unsure where to start, professional advice and staff training can be invaluable.

What About Special Categories or Sensitive Data?

Certain types of data, like medical information, ethnicity, or details about criminal convictions, require even stricter controls, with shorter retention periods or more careful risk assessments.

If your business processes special category data, your policy must explain the additional safeguards you have in place, and you’ll want to document both the lawful basis and the shorter retention schedules rigorously.

How Often Should You Review Your Data Retention Policy?

Your data retention policy should never be a “set and forget” document. Laws, technology, and your business needs change-so make regular reviews part of your compliance culture. Aim to review your policy at least annually, and always after:

• New data laws or ICO guidance that affect your obligations
• Changes to your data processing (e.g. new software, new products or services)
• Security incidents or near-misses (these could reveal gaps in your disposal process)

Each review is a chance not just to stay compliant, but often to streamline processes and reduce unnecessary data storage-saving you both money and risk.

For help building a company-wide compliance culture, see our guidance on why GDPR matters for your business. If you need to update your actual contracts or policies, consider getting assistance-compliance is a moving target, not a one-off tick box.

What Are the Consequences of Not Having a Data Retention Policy?

Neglecting data retention can come back to bite you in several ways. Here’s what can go wrong:

• Regulatory Fines & Audits: The ICO takes non-compliance seriously, issuing substantial fines for data breaches or poor data management.
• Legal Claims: If an individual’s data is held longer than justified, or improperly deleted, they may pursue legal action.
• Reputational Damage: News of poor data practices or data loss leads to loss of trust with customers, partners, and the public.
• Increased Data Breach Risk: More data retained for longer means more to lose if your business is targeted by cybercriminals.

The bottom line: being proactive with your data retention approach isn’t just a legal requirement-it’s one of the best ways to build trust and resilience in your business.

How Does a Data Retention Policy Fit Into My Broader Data Protection Obligations?

Your data retention policy is just one piece of the larger puzzle. It works hand-in-hand with:

• Having a clear cookie policy if you run a website
• Publishing a comprehensive privacy policy that explains what data you collect and how you use it
• Providing information to staff and customers about their rights to access data and have it erased (“right to be forgotten”)
• Limiting data access internally and taking robust security measures

Integrated, strong data handling policies give you a powerful set of tools to meet ICO expectations and demonstrate accountability if you’re ever audited or challenged on your privacy practices.

Key Takeaways

• UK law requires all businesses to have clear, written rules around data retention-don’t risk keeping (or deleting) information without good reason.
• Every type of data-from employee records to customer emails-has different retention needs. Set clear policies based on both legal minimums and business requirements.
• Your policy should include what data you collect, why, how long you keep it, and what happens when the period ends. Avoid generic templates-tailor to your business.
• Special categories of data require extra care and often shorter retention periods-review your obligations regularly.
• Regularly audit, review, and update your data retention policy to stay compliant with changing laws and business needs.
• Integrate your policy alongside your wider privacy efforts for a complete compliance package-and get expert help if you’re unsure.

If you need guidance on creating a data retention policy, understanding your UK GDPR obligations, or reviewing your overall data protection compliance, we’re here to help. Contact our friendly legal team at team@sprintlaw.co.uk or call us on 08081347754 for a free, no-obligations chat about how we can support your business.