Skip to content
LegalVision UK

How Long Can I Keep Personal Data?

Avatar photo

By Sej Lamba

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Businesses often hold a lot of personal data, including data about customers, staff and suppliers. Most businesses tend to keep hold of personal data for a long time without proper processes to delete it. Data retention and deletion are often not at the top of the business priority list. However, this is high risk and could lead to serious consequences. Keeping personal data is subject to strict legal rules under the UK General Data Protection Regulation (UK GDPR). This article will explain some key privacy law rules around how long you can keep personal data. 

How Long Can I Legally Retain Data?

Data protection laws on holding personal data are extremely stringent. Your business cannot hold onto personal data forever ‘just in case’ (unless very limited exceptions apply) or for longer than you need the data. 

You must carefully consider how long you really need to hold personal data and when to delete it. For example, if a customer stopped working with you five years ago and moved on to a new supplier, do you really need to keep their payment information?

To determine how long you should retain personal data, you will need to consider both the UK GDPR, other applicable laws and your business requirements. There are various laws that require documents and records to be held for specific time periods. For example, certain accounting records need to be kept 6 years from the date they were made. Business contracts should generally be kept for a minimum of 6 years. Most employment-related documents should be kept for 7 years. A vital but often difficult priority for businesses is balancing data protection laws, other laws, and business needs when it comes to data retention. 

Your organisation must ensure that you keep personal data in accordance with the principles set out in the UK GDPR. There are no set time periods for how long you can keep personal data under the UK GDPR. However, the UK GDPR sets out various rules around processing personal data, including rules on data minimisation. The UK GDPR data minimisation principle means that you should only collect the minimum amount of personal data you need. Your organisation should carefully review the data you hold and decide how long it should be kept, in accordance with the UK GDPR rules. This is extremely important. 

Key Tips for Keeping Personal Data

The data retention and deletion rules are mandatory and may sound quite onerous given the heavy amounts of data most businesses hold. However, there are various actions you can take to help comply with them. 

1. Understand What Personal Data You Hold and Why You Need It

The starting point is always to look at what personal data you hold. This task is commonly known as a ‘data audit’. 

You should carefully consider the following as part of this process:

  • Who do you collect personal data from?
  • Why do you collect personal data from them?
  • How long do you legitimately need to use that personal data?
  • When should the data be deleted, and what processes do you have in place to delete it?

You need to make sure you can justify why your business holds personal data for specific periods. 

2. Understand the Rules on Data Retention

You should understand the principles of the UK GDPR and how they apply to data retention. In particular, you should consider the UK ICO (the data protection regulator’s) guidance on storage limitations. The ICO’s guidance discusses how long you should keep personal data. You should understand the importance of these rules and how they apply to your organisation in practice. 

You should carefully consider the relevant UK GDPR principles and justify how long your organisation can keep each type of personal data. The relevant principles are as follows:

  • principle of ‘data minimisation’ – all personal data held by an organisation must be adequate, relevant and limited to what is necessary; and
  • principle of ‘storage limitation’ – personal data cannot be kept in a form that identifies individuals for longer than necessary for the purposes for which the data is processed. 

However, in practice, complying with these principles can be extremely difficult. For example, businesses may lose track of all the data you hold and where you keep it. You may not fully understand when to delete data and how these rules apply. As such, a lot of businesses struggle to comply with these rules. However, understanding them will help you develop good data practices and comply with the legal requirements. 

3. Implement a Data Retention Policy

A useful way to help you comply with these principles is to have a data retention policy in place. This policy document clearly sets out how your organisation manages data and deletes it when you no longer need it. It should set out:

  • rules for holding personal data;
  • the company’s principles around data retention; and 
  • why certain data is kept for certain time periods. 

As a part of this policy, you can create a schedule that lists all the different types of personal data sets. Further, this schedule may outline how long you keep each type of personal data.  The policy should be bespoke and tailored to your organisation. 

Additionally, you may need to hold certain personal data for important purposes, including tax or employment law compliance purposes. If this is the case, document these details in your policy. You should also regularly review and update your policy to reflect any changes in the data you collect. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Takeaways

You should never keep personal data forever or longer than you need it. The UK GDPR does not dictate how long your business should keep personal data – that is a decision for each organisation to make. You must be able to justify exactly why you hold personal data for certain periods of time. Understanding the legal rules around data retention, auditing what data you hold and having a clear data retention policy will help you comply with the legal requirements under the UK GDPR. 

If you need advice on data retention, contact our experienced data, privacy and IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

Does the UK GDPR say how long I can keep personal data?

No. The UK GDPR does not prescribe time limits. Your organisation needs to be able to justify why you hold personal data for certain periods of time. You will need to consider the UK GDPR rules and principles on data retention and make your decision accordingly. 

Can I hold personal data indefinitely, just in case I need it?

Keeping information ‘just in case’ is high risk. You should only hold personal data for as long as you need it. You need to be able to justify why you hold personal data and demonstrate that your time periods for retention are in line with the UK GDPR rules. There are limited exceptions for the purpose of keeping personal data for archiving, research or statistical purposes. You should take advice if you are seeking to rely on these exceptions. 

Register for our free webinars

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Legal Risks When You Do Not Delete Personal Data in the UK

4 Common Challenges Your Company Will Face With the GDPR in the UK

Five Common Mistakes Made by Businesses Handling Personal Data in England

How Can My Business in the UK Demonstrate Compliance With the GDPR Through Data Transparency? 

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times