Data Retention Schedules: How Long Should You Keep Personal Data?

The Storage Limitation Principle Under GDPR

Article 5(1)(e) of GDPR states that personal data must be kept for no longer than is necessary for the purposes for which it is processed. Keeping data indefinitely "just in case" is not compatible with GDPR. You need a documented retention schedule.

How to Determine Retention Periods

• Legal obligation: Some laws mandate minimum retention periods. These override GDPR's minimisation principle.
• Legitimate operational need: Data needed to defend or bring legal claims may be retained for the relevant limitation period.
• Contractual requirement: Customer contracts may impose retention or deletion obligations.
• Risk-based assessment: Where no external requirement applies, assess privacy risk of retention against operational value.

Common Retention Periods by Data Type

• Financial records and invoices: 7 years (HMRC requirement)
• Employment records: 6 years after termination
• Payroll records: 3 years from end of tax year (6 years commonly adopted)
• Marketing data and consent records: 2 years from last meaningful engagement
• Customer contracts: 6 years from expiry (12 years for contracts executed as deeds)
• Website analytics data: 13 months; anonymise where possible
• Job applicant data (unsuccessful): 6 months from rejection decision

Legal Holds

When litigation is reasonably anticipated, your standard retention schedule must be suspended for relevant data. Deleting data subject to a legal hold can constitute spoliation. Build a process to identify, flag, and preserve data when holds are triggered.

Automated Deletion

A retention schedule that exists only on paper provides limited protection. Tag data at ingestion with its retention category, build automated deletion jobs, log deletions for audit purposes, and review the schedule annually.

Documenting Your Schedule

Your retention schedule forms part of your Records of Processing Activities (ROPA) under GDPR Article 30. It should be reviewed at least annually and updated when you introduce new data categories or face changes in applicable law.