Does a data retention policy need to cover all types of data?

Yes. Your policy should cover all categories of personal data your business holds — customer data, employee data, supplier data, CCTV footage, website analytics, and any other personal information. Each category should have a defined retention period and a deletion or anonymisation procedure.

Data Retention Policy Template for UK Businesses

Q: How long should I keep personal data?

There is no single answer — retention periods depend on the type of data and purpose. Customer records are often kept 6–7 years for tax purposes. Employee records may need to be kept for the duration of employment plus several years. Your policy should set out specific periods for each data category.

UK GDPR requires you to keep personal data no longer than necessary and to be able to explain why. A data retention policy sets out exactly how long each type of data is kept — and when it is deleted.

Get Data Retention Policy — £15 Get all 6 documents — £39

Instant PDF & Word download · 14-day money-back guarantee

What is a data retention policy?

A data retention policy is an internal document that defines how long your business keeps different types of personal data before securely deleting or anonymising it. It is a practical implementation of the UK GDPR storage limitation principle — one of the seven core data protection principles.

Without a written policy, you have no way to demonstrate to the ICO that you are managing retention properly. You also risk holding data indefinitely, which increases your exposure in the event of a breach.

What your data retention policy should cover

A schedule of all personal data categories your business holds
The retention period for each category and the legal basis for it
How and when data is deleted or anonymised at end of retention period
Who is responsible for managing and enforcing the schedule
How backups and archived data are treated
Procedures for handling legal holds (where data must be kept beyond the normal period)
Annual review process

Get your data retention policy today

£15

Data Retention Policy only

Single document

Get this document

£39

6 core compliance documents

Essentials plan

Get all 6 documents

£69

10 docs incl. breach procedure & SAR

Professional plan

Get all 10 documents

Common questions about data retention policies

Is a data retention policy a legal requirement in the UK?

UK GDPR's storage limitation principle requires you to keep personal data no longer than necessary. A written retention policy is how you demonstrate compliance with this principle. The ICO expects to see one during audits and investigations.

How long should I keep personal data?

There is no single answer — it depends on the type of data and the purpose. Customer records are often kept 6–7 years for tax purposes. Employee records may need to be kept for the duration of employment plus several years. Your policy should define specific periods for each data category your business holds.

What happens if I keep data longer than necessary?

Keeping personal data longer than necessary is a breach of the UK GDPR storage limitation principle. The ICO can issue fines and enforcement notices. It also increases your risk in a breach — the more data you hold, the greater the potential impact on the individuals affected.

Does a retention policy cover all types of data?

Yes — it should cover all categories of personal data your business holds: customer data, employee data, supplier data, CCTV footage, website analytics, and anything else. Each category needs a defined retention period and a clear deletion or anonymisation procedure.

All 14 UK compliance documents

Privacy Policy Data Protection Policy Data Retention Policy Health & Safety Policy Risk Assessment Employee Privacy Notice Cookie Policy CCTV Policy Data Breach Procedure SAR Procedure Acceptable Use Policy Social Media Policy Fire Safety Policy Lone Worker Policy