When it comes to GDPR and data governance, one of the most common questions organisations ask is surprisingly simple: How long should we keep data? Not long enough, and you may fail to meet legal or operational obligations. Keep it for too long, and you risk non-compliance, inefficiency, and unnecessary exposure.
A well-designed data retention policy is the bridge between these two extremes. It gives your organisation a clear, confident framework for managing data responsibly — helping you stay compliant without drowning in unnecessary complexity.
In this post, we explore why retention policies matter, how long different types of data should be kept, and what a compliant, modern approach looks like for today’s highly digital organisations.
Why data retention matters
Data is becoming more abundant and more valuable at the same time — but also more regulated and more vulnerable. Every email stored, every CV saved, every backup kept for “just in case” contributes to your organisation’s risk and resource burden.
GDPR’s storage limitation principle is clear: You can only keep personal data for as long as it’s needed for the purpose it was collected.
That’s not just a legal requirement — it’s good practice. Clear retention periods help you manage risk, reduce storage costs, streamline processes, and strengthen the trust of customers, partners, and employees.
What happens when data is kept too long?
Without structured controls, organisations fall into a predictable trap: Data piles up. Old emails sit untouched for years. Redundant backups remain on systems indefinitely. Staff keep files “just in case.”
Over time, this leads to:
- Larger attack surfaces for cyber threats
- Higher storage and infrastructure costs
- Reduced efficiency and slower systems
- Difficulty demonstrating compliance during audits
- Increased liability if outdated data becomes compromised
A retention policy cuts through this chaos by setting clear, documented timeframes for keeping – and crucially, deleting – data.
Short-term data: The 90-day principle
Not all data needs to be kept long-term. In fact, much of it shouldn’t be.
Temporary system files, logs, exports, and redundant project data often have a very short useful life. Many organisations adopt a 90-day retention period as best practice for these categories.
This ensures that:
- Your systems stay lean
- Redundant, low-value data is removed regularly
- You avoid accidental long-term storage of unnecessary personal data
This 90-day rule is not mandated by GDPR, but it fits comfortably within the regulation’s principles and demonstrates proactive, responsible data management.
Data with legally defined retention periods
While GDPR gives general guidance, several UK laws set out specific, mandatory retention periods. These requirements override discretionary policies. Examples include:
Financial and accounting records
Retained for 6 years for VAT and audit purposes.
HR and employment records
Held for 6 years after an employee leaves, to cover potential contractual claims.
Health and safety exposure records
Retained for 40 years, particularly where hazardous substances or long-term health risk is involved.
Insurance policies
Employer’s liability and professional indemnity documents often need to be kept for 15–50 years, or even indefinitely, due to long-tail claims that may arise decades later.
Local authority and child services records
These can remain on file for up to 75 years, protecting the rights and history of individuals across their lifespan.
These examples illustrate why a one-size-fits-all approach simply isn’t possible. Different categories of data are governed by different laws, risks, and operational uses.
Different industries, different rules
No two organisations will have the same retention schedule. Because no two industries face the same risks or regulatory landscape. For example:
- Marketing teams may only keep campaign data for a few months
- Finance departments must retain formal records for several years
- Healthcare, insurance, and legal sectors often work with decades-long retention windows
The key is proportionality: Keep data long enough to meet your regulatory, operational, and legal obligations — but no longer.
A tailored schedule ensures each department understands its responsibilities and applies consistent, compliant retention periods.
Creating a clear retention schedule
A strong retention policy doesn’t have to be complex. At its core, it should answer three questions:
1. What data do we hold?
Categories include HR, finance, marketing, customer data, systems logs, and more.
2. How long do we need it?
Timeframes should be justified, documented, and consistent with legal or business needs.
3. What happens when retention ends?
Options include deletion, anonymisation, or secure archival where necessary.
To make this easier, many organisations adopt:
- Automated deletion workflows
- Regular data audits
- Clear internal guidance for staff
- Centralised retention schedules that update with legislation
Automation plays a major role. By setting rules within your systems — whether cloud platforms, ERPs, or document management tools — you can ensure data is removed or archived consistently, without manual intervention.
Secure deletion and disposal
When data reaches the end of its retention period, how you remove it matters as much as when. Organisations should use approved methods such as:
- Digital wiping
- Overwriting
- Deletion with audit logs
- Physical shredding of paper documents
- Anonymisation where data is needed for reporting but no longer linked to individuals
Every deletion should be defensible, documented, and secure.
Building a stronger data culture
A data retention policy is more than a compliance document, it’s a cultural foundation. When staff understand:
- Why data cannot be kept forever
- How long different records should remain
- The risks of over-retention
- The tools available to automate the process
…your organisation becomes more efficient, more compliant, and more resilient. Retention becomes part of everyday good practice, not a last-minute scramble for an audit.