GDPR data retention periods: how long can you keep personal data?

UK GDPR does not set fixed retention periods. This guide explains how the storage limitation principle works in practice, what other UK laws require, and how to build a retention schedule the ICO will accept.

The single most common misconception about GDPR retention rules is that the regulation sets specific time limits — that there's some equivalent of "keep for seven years and then delete". It doesn't. UK GDPR's approach to retention is purpose-led: you can keep personal data for as long as you need it for the specific purpose you originally collected it for, and no longer.

That principle is easy to state and harder to operationalise. This guide covers how the storage limitation principle works, what other UK laws require for specific record types, and how to build a retention schedule that demonstrates compliance to the ICO.

The short answer

UK GDPR contains no fixed retention periods for personal data. The storage limitation principle in Article 5(1)(e) requires that data is kept in a form which permits identification of individuals "for no longer than is necessary for the purposes for which the personal data are processed".

The work of compliance is therefore in two parts. First, you define your purposes and what data you need for each. Second, you set a retention period that matches each purpose, document it, and follow it.

There are limited exceptions where indefinite retention is permitted — public-interest archiving, scientific or historical research, and statistical purposes — but only with appropriate safeguards under Article 89.

The storage limitation principle in detail

Article 5(1)(e) of the UK GDPR is the source of the obligation. It requires personal data to be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed".

Three points are worth unpacking:

"No longer than is necessary" is purpose-led. The legal question is whether you still need the data for a specific, lawful purpose. If the answer is no, you must delete or anonymise it. Holding data "just in case it might be useful later" is not a lawful purpose.

"In a form which permits identification" is the key phrase. You can keep data beyond the retention period if you anonymise it — that is, if it can no longer be linked to an identifiable person, even with effort. Genuine anonymisation is harder than it sounds; pseudonymisation (replacing names with codes) does not count.

"For the purposes for which it is processed" ties retention to your stated purposes. If you collected an email address for order confirmations and customer service, you can keep it as long as you need it for those purposes. If you later want to use it for direct marketing, that's a new purpose with its own retention question — not an extension of the original.

The accountability principle in Article 5(2) requires you to be able to demonstrate compliance. In practice, that means having a written retention schedule and following it.

Debunking the "seven-year" myth

A persistent belief in UK business circles is that GDPR requires personal data to be retained — or perhaps deleted — after seven years. It's a confused echo of HMRC's requirement to keep tax records for at least six years, and it has no basis in GDPR itself.

To be specific:

• UK GDPR sets no fixed retention period for any category of personal data.
• HMRC requires companies to retain tax records for at least six years from the end of the accounting period to which they relate, with longer periods in specific situations.
• The Limitation Act 1980 sets six years as the standard limitation period for breach of contract claims, which is why many organisations choose six years as a default for customer records.

Six years is a common period in practice. Seven years is rarely the right answer for anything specific. Neither is a GDPR requirement.

Setting retention periods by data category

The practical work of retention compliance starts with mapping your personal data by category, then setting a period for each category based on the purposes that justify keeping it.

A simplified example for a typical UK small business:

• Customer order records — kept for six years from the end of the relevant accounting period, to meet HMRC requirements and the Limitation Act window for contract claims.
• Customer marketing list — kept while the customer is active and for two years after their last interaction, with consent or legitimate interests as the lawful basis.
• Employee personnel files — kept for six years after employment ends, covering employment tribunal claim windows.
• Payroll records — kept for six years from the end of the tax year (HMRC).
• Job application data for unsuccessful candidates — kept for six months to a year, depending on whether you want to consider them for future roles and have told them so.
• CCTV footage — kept for 7 to 31 days on automatic overwrite, longer only for footage relevant to a specific incident.
• Website analytics data — kept as briefly as the analytics tool allows for the insights you actually use.

These are illustrative, not prescriptive. Your specific obligations depend on your sector, the purposes you've documented, and any relevant industry regulation.

Statutory minimums from other regimes

GDPR doesn't set retention periods, but other UK laws do. The most commonly relevant:

• HMRC — six years from the end of the accounting period for company tax records; longer for certain situations like investigations or property-related records.
• Companies Act 2006 — statutory company records (registers of members, directors, etc.) must be kept for the life of the company plus various periods after dissolution.
• Employment law — wage records for at least three years (Working Time Regulations); statutory minimum wage records for six years; right-to-work documents for two years after the worker leaves.
• Financial services — FCA-regulated firms must retain client records for at least five years (longer for pension records, insurance, and certain investments).
• Healthcare — NHS retention schedules vary by record type, with adult health records typically retained for eight years after the last contact and child records until age 25.
• Limitation Act 1980 — the standard six-year window for contractual claims, twelve years for deeds.

Where a statutory minimum applies, you have a legal obligation to retain the data. Article 6(1)(c) of the UK GDPR — processing necessary to comply with a legal obligation — provides the lawful basis. You don't need consent or legitimate interests to keep tax records.

The reverse is also true: a statutory minimum doesn't authorise you to keep data beyond that minimum unless you have a separate purpose that justifies the continued retention.

Building a retention schedule

A defensible retention policy is a documented schedule that lists each category of personal data, the purpose that justifies retention, the lawful basis, the retention period, and how the deletion or anonymisation is carried out.

A basic schedule has at least these columns:

• Data category — for example, "employee personnel files".
• Purpose — what you use the data for.
• Lawful basis — under Article 6 (and Article 9 for special category data).
• Retention period — the actual time the data is kept.
• Justification — why this period, with reference to statutory minimums or business need.
• Deletion method — how data is removed when the period expires, including backups.
• Review date — when the schedule entry is next checked.

The ICO expects the schedule to be reviewed periodically, and updated whenever your processing changes. A schedule that hasn't been touched in three years is a sign of a programme that has stopped working.

Smaller organisations doing low-risk processing may not need a documented retention schedule, but they still need to delete data they no longer need. In practice, having a one-page schedule even for a small operation is cheaper than improvising during a complaint.

Backups and "put beyond use"

Most retention policies hit a practical problem at the deletion stage: data is easy to delete from live systems but lives on in backups. Backups are designed to capture point-in-time copies, and deleting individual records from them is often technically impossible or commercially disproportionate.

The ICO's accepted approach is the concept of "putting data beyond use". If you can demonstrate that backup data:

• Is not accessed for any other purpose,
• Cannot be used to inform any decision affecting a specific person, and
• Will be overwritten or destroyed in line with a routine cycle,

then the ICO will generally treat the data as compliant with the storage limitation principle, even though it has not been technically deleted.

You still need to be able to retrieve and delete the data from backups if a valid erasure request comes in and the data is restored from backup later. The "put beyond use" position is a workaround for the practical lifecycle of backups, not a permanent shield.

For more on how retention interacts with the rest of UK GDPR, see our seven principles guide and our individual rights guide (specifically, the right to erasure).

Frequently asked questions

Is there a GDPR 7-year rule?

No. UK GDPR sets no fixed retention periods. The "seven years" figure is a confused echo of HMRC's six-year tax record requirement and the Limitation Act 1980's six-year window for contract claims.

How long can I keep HR records?

There is no single answer. Most UK employers keep core personnel files for six years after employment ends, covering the employment tribunal and contract claim windows. Specific items (right-to-work documents, payroll, pension records) have their own statutory minimums.

How long can I keep customer data?

For as long as you need it for the purpose you collected it. Order records often run six years (HMRC plus Limitation Act). Marketing lists are typically kept for as long as the customer is active plus a defined inactive period, with regular cleansing.

What happens to backups under GDPR?

The ICO accepts that personal data may persist in backups after deletion from live systems, provided the data is "put beyond use" — not accessed for any other purpose, not used in decisions about individuals, and overwritten in due course.

Do I have to delete data on request?

Sometimes. The right to erasure under Article 17 applies in specific circumstances and is subject to exemptions — including where you need the data to comply with a legal obligation or to defend a legal claim.

Can I keep data indefinitely for research?

Article 5(1)(e) allows indefinite retention for public-interest archiving, scientific or historical research, and statistical purposes — but only with appropriate safeguards under Article 89. If you start using the data for any other purpose, the retention exemption no longer applies.