When Should Personal Data Be Deleted Under UK GDPR?

If your business stores any personal information about customers, staff, suppliers or prospects, you’ll need a clear answer to a simple question: when should that personal data be deleted from your computer systems?

Under UK GDPR and the Data Protection Act 2018, you must not keep personal data for longer than necessary. In practice, that means setting sensible retention periods, actually deleting (or anonymising) data when the clock runs out, and being able to prove what you did and why.

In this guide, we’ll break down when you should delete personal data, how to set up a practical retention schedule, and what to do about backups, cloud tools and special cases like CCTV and marketing lists. We’ll keep it straightforward and action-focused, so you can put strong data hygiene in place without slowing the business down.

What Counts As “Personal Data” In Your Business?

Personal data is any information that relates to an identified or identifiable person. For a small business, this usually includes:

• Customer details (names, emails, phone numbers, addresses, order history, support messages)
• Marketing contacts (newsletter signups, event attendees, lead lists, tracking IDs)
• Employee and applicant records (CVs, right-to-work checks, performance or payroll data)
• Supplier contacts (if tied to a sole trader or an individual)
• Technical or behavioural data tied to a person (IP addresses, cookies, device IDs where they identify a person)
• Images or audio where a person can be identified (CCTV or call recordings)

UK GDPR applies wherever you process personal data, whether it’s in a CRM, spreadsheets, email, shared drives, messaging tools, cloud storage or a bespoke app. If you can link the data back to a living person, it’s in scope.

What The Law Says About Keeping And Deleting Personal Data

Two core UK GDPR principles drive deletion decisions:

• Storage limitation: Don’t keep personal data for longer than necessary for the purpose you collected it.
• Data minimisation: Only keep what you actually need. If a field or dataset is no longer needed, delete or anonymise it.

On top of this, individuals have the right to erasure (the “right to be forgotten”) in certain circumstances, and you have to be able to action those requests promptly unless an exemption applies. You also need to meet other duties like transparency (telling people what you’ll do in your Privacy Policy) and security (ensuring deletion happens safely and irreversibly).

Remember the wider legal landscape too. Sometimes you must keep data for a minimum period (for example, certain tax or employment records). In those cases, the legal obligation overrides deletion until the retention period ends-then you should delete without delay.

When Should Personal Data Be Deleted From A Computer System?

Here are the most common scenarios where UK businesses should delete (or anonymise) personal data.

1) The Original Purpose Is Complete

If you collected data to deliver a one-off project, answer an enquiry, or fulfil an order, you should delete it when you no longer need it for that purpose-subject to any legal retention duties (for example, keeping transaction records for tax).

• Example: A one-off B2B project is complete and paid. Keep invoices for the statutory period, but delete unnecessary project files containing personal data once no longer needed.

2) Consent Is Withdrawn (And No Other Lawful Basis Applies)

If you rely on consent for a purpose-such as email marketing-and someone withdraws consent, delete their data for that purpose unless you can rely on another lawful basis. You may need to keep a minimal “suppression” list entry to ensure you don’t contact them again.

3) You No Longer Have A Lawful Basis

Sometimes you can’t justify ongoing processing under any lawful basis (consent, contract, legal obligation, vital interests, public task, legitimate interests). If none apply, delete it. This often happens with old prospect lists or legacy systems that nobody uses anymore.

4) The Data Is Unlawfully Processed

If you obtained or used data in a way that breaches UK GDPR (for example, scraping personal data without a lawful basis), you should delete it.

5) The Data Is Inaccurate And Can’t Be Corrected

Where personal data is wrong and cannot reasonably be rectified, consider deletion. Keeping inaccurate data can lead to poor decisions and non-compliance with accuracy obligations.

6) A Valid Erasure Request Is Made

Individuals can request deletion in specific circumstances (e.g. where data is no longer necessary or consent is withdrawn). You must respond promptly and within one month. You can refuse or limit erasure in certain cases (for example, where you must keep data by law), but you need a solid reason and a clear response process. If you manage lots of requests, it’s wise to standardise handling alongside your SAR deadlines and any applicable SAR exemptions.

7) The Retention Period Has Ended

Your retention schedule should specify how long each category of data is kept. When the clock runs out, delete or anonymise. If you’re unsure about typical timeframes, start with a practical framework and build from there using guidance like our overview of data retention periods.

8) You Receive A Valid Objection

If someone objects to processing based on your legitimate interests and there are no compelling grounds to continue, you should stop and delete the data for that purpose.

How To Set A Practical Retention Schedule (That People Actually Follow)

Deletion only works if you know what to delete and when. A pragmatic retention schedule keeps things simple and actionable.

Step 1: Map Your Data

List the systems and places where personal data lives (CRM, accounting, email, file storage, HR tools, phones, backups, third-party apps). Note what categories of personal data are held and for what purpose.

Step 2: Group Into Categories

Create clear categories with business-friendly labels, such as:

• Customer account data
• Order and invoice data
• Marketing contacts
• Support tickets
• Website analytics/cookies
• Job applicants
• Employee records
• Supplier contacts
• CCTV footage

Step 3: Assign Retention Periods And Justifications

For each category, set a sensible retention period and document your rationale and lawful basis. Where another law requires a minimum period (e.g., payroll or tax records), record that obligation. Where you’re relying on legitimate interests, note the balancing test outcome.

Step 4: Define The Deletion Method

State how deletion or anonymisation will happen for each system (manual deletion, scheduled purge, API script, automated rules). Remember that “delete” should be irreversible from a business perspective, and apply to active systems and archives.

Step 5: Bake It Into Your Processes

Turn good intentions into practice:

• Use automated retention rules where your systems support them.
• Schedule periodic deletion tasks (quarterly reviews work well).
• Train staff who manage inboxes, shared drives and customer service tools.
• Build deletion steps into offboarding, project closure and campaign wrap-ups.

Step 6: Cover Third Parties

If you use cloud vendors or outsourcers, make sure your Data Processing Agreement obliges them to help you delete or return personal data at the end of the engagement, and on request.

What About Backups, Cloud Tools And System Logs?

Backups and logs are notorious for quietly keeping personal data longer than you intend. Regulators accept that backups can be treated differently, but only if you manage them properly.

• Backups: You don’t need to immediately purge an immutable backup on receipt of a deletion request, but you must ensure the data is not restored to production and is overwritten on the normal backup cycle. Record this in your retention policy and vendor contracts.
• System logs: Keep logs for security and audit needs, but limit retention periods and restrict access. Where feasible, log data should be pseudonymised.
• Cloud storage and collaboration tools: Check the provider’s deletion model and retention settings. If you’re using popular platforms, make sure they support UK GDPR needs; it helps to sanity check tools your team uses day-to-day against guidance like whether Google Drive is GDPR compliant.
• Shared inboxes and chat apps: Set auto-archiving and deletion policies where possible, and train teams to remove personal data from long-running threads once it’s no longer needed.

Special Cases Small Businesses Ask Us About

Employee Records

Employment law requires you to keep certain records for minimum periods (for example, payroll/tax records). Once those periods expire, delete personal data that’s no longer needed. A pragmatic approach is to separate “must keep” records from everything else early on, and then apply shorter retention to routine HR files. If you’re unsure, our guide to ex-employee records will help you set sensible timelines.

Marketing Lists

For email marketing, the lawful basis is often consent (or soft opt-in under PECR). Delete contacts when consent is withdrawn or if they’ve been inactive for a long time and you can’t justify ongoing processing. Keep a minimal suppression record so you don’t re-add them by mistake. Make sure your Cookie Policy and Privacy Policy align with how you collect and retain marketing and analytics data.

CCTV Footage

CCTV should have a clear purpose (e.g., security) and a short retention period-often measured in days or weeks unless footage is needed for an active investigation. Keep signage up, restrict access, and auto-delete after the set period.

Customer Accounts And Support Tickets

Account data can be kept while the account is active and for a sensible period after closure to handle chargebacks or disputes, then deleted or anonymised. Support tickets often contain personal data-set a default retention (for example, 12–24 months) unless a legal reason requires more.

Prospect And Lead Lists

Leads go stale quickly. If you can’t justify ongoing processing (for example, you’ve had no engagement for a long time), delete them. Holding old spreadsheets “just in case” is a common compliance risk.

Essential Documents And Processes To Support Lawful Deletion

You don’t need a huge bureaucracy-just a few clear, joined-up documents and processes that your team can follow.

• Privacy Policy: Tell people how long you keep their data in plain English and explain when you’ll delete or anonymise it. A tailored Privacy Policy helps here.
• Data Retention Schedule: The backbone of deletion. Keep it practical, tied to systems and categories, and reviewed annually.
• Data Processing Agreement: For any processors you use (cloud vendors, outsourced support), your Data Processing Agreement should include cooperation with deletion, timelines and secure disposal.
• Data Sharing Agreement: If you share personal data with another controller, a Data Sharing Agreement can set expectations on retention and deletion responsibilities between you.
• Request Handling: Standard operating procedures for erasure requests and access requests (SARs), with clear deadlines and decision criteria aligned to your obligations under UK GDPR.
• Incident Playbook: If data is deleted in error, you may need to investigate as a security incident. Having a Data Breach Response Plan makes response and reporting much easier.

Practical Deletion Tips You Can Action This Quarter

• Switch on retention controls: Explore built-in retention or auto-delete settings in your CRM, helpdesk, email marketing and file storage tools.
• Delete routinely, not annually: Monthly or quarterly “clean up” cycles are easier and more reliable than big annual purges.
• Minimise at source: If you don’t need a field (date of birth, exact address, phone number), don’t collect it. If you do need it, consider hashing or tokenising where possible.
• Prefer anonymisation over archiving: If you want long-term analytics, strip out identifiers so the dataset is no longer personal data.
• Tidy inboxes and shared drives: Encourage teams to move personal data out of email and chat into designated systems with retention rules, then delete from the original location.
• Control exports: Spreadsheets get forgotten. Limit CSV exports and set expiry rules for shared links.
• Audit processors: Ask vendors how they implement deletion, including their backups and sub-processors. Capture answers in your vendor file.

Common Mistakes (And How To Avoid Them)

• Keeping data “just in case”: If you can’t justify a lawful basis and purpose, delete it.
• Ignoring backups: Document how you prevent restored data from resurfacing after an erasure and how long backups persist.
• Inconsistent timelines across systems: Align retention across tools so you don’t delete from one place and forget the copy in another.
• Not telling people your approach: Your Privacy Policy should explain retention periods in a clear, high-level way that matches what you actually do.
• Confusing deletion with deactivation: Disabling an account isn’t deletion. Build a process that actually removes or anonymises personal data.
• Forgetting legal minimums: Where law requires a minimum retention period (e.g., tax, employment), only keep what’s needed-and delete promptly when the timer ends.
• No paper trail: Keep lightweight logs of deletion runs and decisions, especially for erasure requests. If challenged, you’ll want evidence that you acted lawfully.

Key Takeaways

• Under UK GDPR’s storage limitation principle, only keep personal data for as long as you need it for a defined purpose-then delete or anonymise it.
• Trigger points for deletion include purpose completion, consent withdrawal, loss of lawful basis, inaccuracy, unlawful processing, valid erasure requests and the end of your retention period.
• Create a practical retention schedule that maps systems, sets timelines per data category, explains the legal rationale and specifies how deletion happens in each tool.
• Address tricky areas like backups, logs and cloud apps by documenting your approach and using vendor contracts (for example, a Data Processing Agreement) to control deletion.
• Align your Privacy Policy, Cookie Policy and internal processes so teams know what to collect, how long to keep it, and when to delete it.
• Standardise request handling alongside SAR timelines and exemptions, and keep simple records of what you deleted and why.
• If in doubt, take a minimisation mindset-collect less, keep less, and automate deletion where possible.

If you’d like tailored help setting retention schedules, drafting a Privacy Policy or putting the right Data Processing Agreement and Data Sharing Agreement in place, our team can help you get protected from day one. You can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.