What is the Maximum Length of Time You Can Hold Data for GDPR?
Under the UK General Data Protection Regulation (UK GDPR), organisations must not keep personal data for longer than necessary. This principle, known as storage limitation, plays a crucial role in shaping how businesses and public bodies manage the lifecycle of data.
Yet, many companies still struggle with determining precisely how long they should hold onto personal information and what risks arise when they hold onto it for too long.
Data protection isn’t just about collecting data lawfully. Once personal data is acquired, the next pressing question is: how long can you legally and responsibly keep it? This guide explains what the law says, how to apply it in practice, and why a tailored retention policy is essential for any UK-based business.
What Does the GDPR Say About Data Retention Periods?
The UK GDPR makes it clear that personal data must only be kept for as long as it’s needed. This isn’t just good practice it’s a legal obligation outlined in Article 5(1)(e).
It states that data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
There are no standard timeframes built into the regulation. Instead, it’s up to each organisation to determine appropriate retention periods based on the purpose of processing, the lawful basis, and any industry-specific regulations.
For example, some laws require tax records to be kept for at least six years, while marketing data based on consent should be deleted when consent is withdrawn.
This flexibility allows organisations to shape their data policies according to business needs, but it also introduces the challenge of justification.
Every decision must be documented, and companies must be able to explain why data was kept for a given period.
What Is a Lawful Basis for Holding Personal Data?
To comply with the UK GDPR, organisations must determine a lawful basis for collecting and retaining personal data. These bases include:
- Consent
- Contractual necessity
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
The lawful basis chosen can influence how long personal data should be kept. For example, if data is collected as part of a legal requirement, such as payroll records, it may need to be retained for a minimum period prescribed by law.
On the other hand, if data is processed under consent for marketing purposes, it should only be kept for as long as the consent remains valid.
Determining the lawful basis is also essential for defining the scope and duration of data processing. This ensures that data is neither held unnecessarily nor retained in a way that puts data subjects at risk.
How Long Can Companies Keep Personal Data in the UK?
There is no one-size-fits-all answer to this question. The retention period for personal data depends entirely on the nature of the data, the reason for its collection, and any associated legal obligations.
For instance, personal data used in an ongoing customer relationship might be retained throughout the life of that relationship and for a reasonable period afterwards to address any legal claims or customer service issues.
Conversely, personal data collected for a short-term campaign or one-off transaction should not be kept longer than necessary.
A common misconception is that data can be stored indefinitely as a precautionary measure. However, the UK GDPR is clear: if there is no longer a specific purpose for retaining the data, it must be deleted or anonymised.
Consider the following examples:
- A bank holds customer identification data such as date of birth and address for account security. This information can be retained for the duration of the customer relationship and for a fixed period after account closure for fraud prevention or compliance purposes.
- A pub may operate CCTV to monitor public safety. If no incident occurs, there is little justification to retain footage beyond 30 days. However, if a crime is reported, footage must be preserved for investigation purposes.
These examples highlight the importance of context. Every type of personal data must be assessed individually to determine a proportionate and compliant retention period.
How Can You Create a GDPR Compliant Data Retention Policy?
A well-structured Data Retention Policy is a cornerstone of GDPR compliance. This policy should define what data is held, why it is held, how long it will be held, and what actions are taken when it is no longer needed.
Creating this policy begins with data mapping identifying all the personal data an organisation holds and categorising it by purpose and lawful basis.
Once mapped, retention periods should be assigned based on legal requirements, industry standards, or risk assessments.
While the UK GDPR does not require every business to have a documented policy, it is considered best practice and often expected by regulators.
Even small organisations performing low-risk processing should maintain at least a basic internal policy and conduct regular reviews of the data they hold.
A strong retention policy should also include the ability to:
- Allow for early deletion of data that is no longer in use
- Adapt retention periods if the purpose for holding the data changes
- Facilitate compliance with data subject rights, such as the right to erasure
Policies should be actively managed and not treated as static documents. Regular reviews and updates ensure ongoing compliance and reduce the risk of holding outdated or excessive personal data.
Are There Any Exceptions to Standard Retention Rules?
Yes, there are exceptions to the general rule of deletion once data is no longer necessary. Under UK GDPR Article 89(1), personal data may be retained for longer periods when used solely for:
- Archiving in the public interest
- Scientific or historical research
- Statistical purposes
In these cases, organisations must implement appropriate safeguards, such as pseudonymisation or encryption, to protect individuals’ rights.
For example, a university storing anonymised health data for longitudinal studies may retain that data for decades, provided it is not used to make decisions about individuals.
It is important to note that data kept for archiving or research must not be repurposed later for commercial or profiling uses unless a new lawful basis is established.
What Are the Best Practices for Reviewing and Deleting Data?
A crucial part of compliance with the storage limitation principle is the ongoing review of the data held. Organisations should periodically assess whether the data still serves a valid purpose. If not, it should be either erased or anonymised.
Automated systems can flag records nearing the end of their retention period. For example, customer support tickets older than two years might be scheduled for deletion unless an unresolved issue exists.
Deletion must go beyond simply removing access to the data. If personal data is stored in backups or archived offline, it must be securely removed from all systems where feasible.
If permanent deletion isn’t possible, the data should be rendered beyond use, ensuring it cannot be retrieved or reprocessed.
In cases where deletion is not appropriate, anonymisation is a suitable alternative. Once data is stripped of identifiers and cannot be linked back to an individual, it is no longer subject to GDPR and may be retained for trend analysis or internal reporting.
How Can You Prove GDPR Accountability for Data Retention?
Demonstrating accountability is a legal requirement under GDPR. This means organisations must not only comply but also be able to show evidence of compliance. This includes:
- A documented Data Retention Policy
- Clear records of processing activities
- Audit trails for data deletion
- Evidence of staff training on data retention responsibilities
- Internal review mechanisms to flag outdated data
For instance, in a notable case, the Information Commissioner’s Office (ICO) reprimanded a company for failing to implement a proper data retention policy, highlighting that good documentation is as important as good practice.
What Are the Typical Data Retention Timeframes in the UK?
| Data Type | Recommended Retention Period | Justification |
| Employee Records | 6 years post-employment | Limitation Act 1980 |
| Financial/Tax Records | 6 years | HMRC requirements |
| Recruitment Data | 6–12 months | Prevent employment claims |
| Customer Service Emails | 2–3 years | Operational needs |
| CCTV Footage | 30 days (or case-specific) | Security and legal compliance |
| Marketing Data | Until consent is withdrawn | GDPR and PECR regulations |
| Health and Safety Records | Up to 40 years | Statutory safety requirements |
How Can Businesses Stay GDPR Compliant with Data Retention Practices?
To maintain GDPR compliance, UK businesses should take a structured and proactive approach to data retention. This means:
- Understanding the types of personal data held
- Identifying the legal basis and purpose for each data set
- Establishing and documenting appropriate retention periods
- Deleting or anonymising data is no longer required
- Training staff in data retention protocols
- Implementing systems for regular data review and erasure
Additionally, businesses should be prepared to respond to individual requests for deletion. The right to erasure, often referred to as the “right to be forgotten,” allows individuals to request that their data be removed when it’s no longer needed.
A well-maintained retention policy reduces legal risk, protects individuals’ privacy, and improves data efficiency. It also prepares businesses for audits or investigations by demonstrating that proper governance and accountability are in place.
Frequently Asked Questions
What is the storage limitation principle in GDPR?
It states that personal data must not be kept longer than is necessary for the purpose for which it was collected.
Do businesses need a Data Retention Policy?
Yes, especially if they process large volumes of data or data in regulated sectors. A policy helps ensure compliance and reduces operational risk.
How do you determine how long to keep personal data?
By assessing the purpose for collection, the lawful basis for processing, and any applicable legal or industry-specific requirements.
Can data be kept indefinitely under GDPR?
Only in limited cases such as archiving in the public interest, research, or statistical analysis with strong safeguards.
What should be done with data no longer needed?
It should be securely erased or anonymised to prevent further identification or use.
What’s the difference between anonymisation and pseudonymisation?
Anonymisation removes all identifying features permanently. Pseudonymisation reduces identifiability but may still allow data to be re-linked with effort.
How should data be managed in shared initiatives?
Data sharing agreements should outline retention terms, and all parties must delete or return data once it’s no longer needed.
