Skip to content

Can I Keep My Customer Contact Details Forever?

Table of Contents

In Short

  • UK GDPR mandates that personal data, such as customer contact details, can only be retained for as long as necessary for the original purpose.
  • Holding onto data “just in case” is not permitted, and unjustified indefinite retention risks non-compliance.
  • Clear retention policies and regular audits are essential for compliance.

Tips for Businesses

Establish clear data retention periods, automate deletion processes, and review data regularly. Transparency with customers about data retention and privacy practices, including regular updates to privacy policies, is crucial for building trust and maintaining compliance.

Many businesses collect and store customer contact details for various purposes—for instance, marketing, processing customer transactions, and delivering customer service. However, under the UK GDPR, companies cannot retain customer data indefinitely without complying with mandatory legal rules. As such, it is vital to ensure that your retention of customer data complies with legal requirements. This article will explore the question of whether you can keep customer contact details forever and key considerations under the UK GDPR rules. 

Under UK GDPR, data retention by your business must comply with fundamental principles:

  • Data Minimisation: Your business should only collect data essential for the specific purposes outlined. Holding onto excessive data can lead to non-compliance with the UK GDPR rules; and
  • Storage Limitation: You must only retain personal data for as long as necessary. Once the purpose of data collection is fulfilled, the data must be deleted unless there is a legal reason to keep it longer. 

Although the UK GDPR does not provide specific retention periods, it requires businesses to assess the purpose of collecting personal data and ensure its retention is proportionate and justified. Failing to comply with this could result in significant penalties. 

When deciding how long to retain personal data, it is essential to consider both the UK GDPR, other applicable laws, and your organisation’s specific needs. Many regulations require the retention of certain documents and records for specific periods. 

For instance, the Companies Act 2006 and tax rules require retaining certain records for specific periods. A key challenge for businesses is ensuring compliance with data protection principles and other legal and operational requirements.

How Long Can You Retain Customer Contact Details?

If your customer contact details include their personal information, such as their names or email addresses containing names, the UK GDPR rules will apply to your business. As such, you must consider the UK GDPR rules and determine how long you can keep customer contact details containing personal data. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Considerations

Here are some key considerations: 

  • the UK GDPR does not specify a period for retaining personal data. However, the law states that organisations should retain data only for as long as it is necessary for the original purpose. When data is no longer needed for its intended purpose, you must delete it. It is not enough to keep data “just in case” it might be helpful in the future – meaning you cannot keep customer information forever just because you feel you may need it in future. Any justification for holding personal data indefinitely would need to comply with strict UK GDPR rules and have a valid justification. Businesses need to regularly review and assess the necessity of the data they hold and justify why they need to keep it;
  • you must be able to justify holding onto the contact details of an existing customer based on the ongoing service, support, or transactions you provide. For example, if the customer actively uses your service, their contact information is necessary for communication and support. However, retaining a customer’s contact details who has not worked with you for ten years is unlikely to be justifiable. This is particularly true if there is no legal obligation (such as tax or audit requirements) to retain that information. In such cases, the data should be deleted to comply with the UK GDPR’s storage limitation principle; and
  • retaining customer data indefinitely in breach of the UK GDPR can present significant risks to your business. Therefore, you must have clear data retention policies that specify how long each data type will be retained. You should regularly review and securely delete data when it is no longer needed. You must also be able to justify why you are keeping personal data in a way that still allows the identification of individuals. If the personal data no longer serves its original purpose and cannot be justified for retention, you should delete it.

How Should You Inform Customers About Data Retention?

Your business must clearly communicate how long personal data will be retained or the criteria used to determine this, as transparency is a key requirement under UK GDPR. You should include this information in your privacy policy. If a specific timeframe cannot be provided, it is important to explain the reasoning behind your data retention decisions.

It is essential to regularly review and update your privacy policy to reflect any changes in data retention practices. This transparency can help you build customer trust and ensure compliance with the UK GDPR.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

What are Some Best Practices for Data Retention? 

To ensure compliance with UK GDPR and manage customer data effectively, your business should implement the following best practices:

  • Conduct Regular Data Audits: You should review your business’s personal data regularly. Delete any data that is no longer necessary for its original purpose;
  • Establish Clear Retention Periods: Based on legal obligations and business needs, set clear retention periods for different types of data;
  • Automate Data Deletion: You could consider putting in place systems that automatically delete personal data after the retention period expires. Automating this process can help you ensure prompt data deletion and reduce the risk of human error;
  • Review and Update Retention Policies Regularly: You should review data retention policies regularly to ensure they reflect your business practices. These policies should address how long you legitimately need to retain data; and
  • Handle Data Deletion Requests Promptly: You should ensure your business has efficient processes for handling data deletion requests. Under the UK GDPR, individuals can request the erasure of their personal data in specific scenarios. 

Finally, you should note that instead of deleting data, you can opt to anonymise it. This means that it no longer identifies any individual, removing it from the scope of UK GDPR. However, it is crucial that anonymisation prevents re-identification. 

If you are unsure whether the data is anonymous, deleting it is safer. In the case of customer contact details, deleting information you no longer need can be the best course of action.

Key Takeaways

The UK GDPR rules require that businesses retain personal data only for as long as necessary to fulfil the original purpose for which businesses collected it. Once that purpose has been met, you should delete the data to avoid non-compliance with data protection regulations. As such, you should only keep customer personal data for as long as necessary and in compliance with the UK GDPR rules. It is crucial to have clear and transparent data retention policies that specify data retention periods, and businesses must be able to justify the retention of any personal data. 

If you need advice on UK GDPR compliance, our experienced data privacy lawyers can assist you through LegalVision’s membership service. For a low monthly fee, you will have unlimited access to our lawyers, who can answer your questions and draft or review your documents. Call us today at 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What is the UK GDPR?

The UK GDPR governs how businesses collect, process, and retain personal data. It ensures the responsible handling of personal data and the protection of individuals’ privacy rights.

How long can I hold customer data?

You must only retain personal data for as long as necessary to fulfil the original purpose of collection. You should carefully consider how long you need to hold customer data, such as contact details.

Register for our free webinars

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards