Whether you’re running a business, managing an HR department, or simply storing customer details, you might find yourself wondering:
What is the maximum length of time you can hold data for?
In the UK, data retention is governed by GDPR and the Data Protection Act 2018, and while there’s no fixed number of years applicable to all types of data, there are clear principles and sector-specific recommendations that you’re legally expected to follow.
This guide explains everything you need to know about how long you can legally store data, what “necessary” really means, and how to avoid fines or compliance failures.
What Is the Maximum Length of Time You Can Hold Data For?
Why Data Retention Matters in the UK
If you’re collecting, managing, or storing personal information—whether for customers, employees, or business operations—data retention is a legal and ethical concern. Holding onto personal data longer than necessary doesn’t just clutter your systems; it can also place your organization at risk of non-compliance with UK data protection laws.
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, organizations must ensure that any personal data they collect is:
-
Appropriate, pertinent, and restricted to what is essential
-
Kept for only as long as needed to achieve the purpose of its initial collection
This means that indefinite storage of personal data is not allowed, even if you believe the information may be useful in the future.
Overview of GDPR and the Data Protection Act 2018
In the UK, the UK GDPR (which was adapted from the EU’s GDPR following Brexit) operates alongside the Data Protection Act 2018 to establish a cohesive framework for data privacy and retention.
-
The methods and reasons for collecting personal data
-
How long that data can be held
-
The personal entitlements of data subjects (for instance, the right to be forgotten)
-
Security standards that organisations must follow to safeguard information
These regulations do not prescribe specific timeframes for data retention across all sectors. Instead, they follow a principle-based approach that requires organizations to make justifiable decisions about retention periods based on the purpose of data collection.
Key Principle: You Shouldn’t Keep Data Longer Than Necessary
One of the main principles of GDPR stipulates that personal data retention must not exceed the duration necessary for the processing purposes. In practical terms, this means to:
-
If the data is no longer required for the reason it was originally collected, it should be securely deleted or anonymised
-
If retention is still necessary (e.g., for legal, regulatory, or contractual reasons), the data must be properly safeguarded and reviewed regularly
For example:
-
Employee records might be kept for 6 years after employment ends, in line with potential legal claims
-
Customer transaction data may be held for 6–7 years to comply with financial and tax regulations
-
Job applicant information might be retained for up to 6 months to a year if not hired, unless consent is given to keep it longer
No Universal Time Limit, But Sector Guidelines Apply
While the law avoids one-size-fits-all deadlines, many sectors have industry-specific retention standards, often informed by regulatory bodies, legal precedent, or best practices. For instance:
-
Financial services: FCA guidance recommends retaining customer records for at least 5 years
-
Healthcare: NHS guidelines suggest keeping adult medical records for 8 years
-
Education: Student records may be kept for varying durations depending on funding and academic policies
-
Charities and nonprofits: Must balance donation records, volunteer data, and supporter information with privacy rights
Organizations should maintain a Data Retention Policy that outlines:
-
What types of data are collected
-
How long each type will be retained
-
The rationale behind each timeframe
-
Processes for reviewing, archiving, and deleting data
What Happens If You Store Data Too Long?
Failing to delete personal data once it’s no longer necessary may result in:
-
Action taken by the Information Commissioner’s Office (ICO)
-
Considerable penalties for violations of GDPR (maximum £17.5 million or 4% of yearly revenue)
-
Deterioration of reputation and erosion of trust from clients or stakeholders
Beyond compliance risks, poor data retention practices can also lead to security vulnerabilities, increased storage costs, and operational inefficiencies.
What Does “Necessary” Mean for Data Retention?
Understanding the Legal Meaning of “Necessary”
When it comes to data retention, the word “necessary” is central to compliance with UK GDPR. However, it’s not just about convenience or future usefulness—it refers to objectively justifiable grounds for keeping personal data based on lawful, specific purposes.
Data protection law states that data retention should occur only for the duration it is necessary to fulfill the original purpose of its collection. After that purpose has been achieved, the data should either be:
-
Permanently deleted, or
-
Anonymized, so it can no longer be linked to an identifiable individual
Factors That Affect Retention Timeframes
The definition of “necessary” varies based on context, sector, and legal duty. Retention periods must be tailored to the type of data, why it was collected, and any laws or contracts in place. Some key influencing factors include:
-
Legal obligations: Data needed to comply with tax laws, employment regulations, or statutory audits
-
Contractual requirements: Retaining data necessary to deliver or support ongoing services
-
Sector-specific rules: Industry guidelines may dictate retention limits for education, healthcare, financial services, and more
-
Purpose of collection: The data should be kept only as long as it’s needed to fulfil the original reason it was collected—nothing more
Example:
Retaining customer transaction records for six years is justified under HMRC record-keeping rules. However, keeping outdated marketing preferences or inactive email addresses for the same length of time without consent or use may violate GDPR principles.
Lawful Purpose vs Habitual Storage
A common mistake among businesses is defaulting to habitual data storage—keeping everything “just in case.” However, this approach directly contradicts the storage limitation principle under GDPR.
Every retention decision must be based on a lawful, current need, not speculative or convenience-based reasoning. If you can’t demonstrate a clear reason for holding on to data, you’re at risk of non-compliance.
How to Define “No Longer Needed”
In order to establish if data is “no longer necessary,” inquire:
-
Is the contract or service agreement over?
-
Has the user closed their account or withdrawn consent?
-
Has the legal limitation period (e.g., tax, employment claims) expired?
-
Is the data still actively used for a relevant business or legal purpose?
If the answer is no, then it’s time to securely delete or anonymise the information in accordance with your data retention policy.
Maximum Data Retention Periods for Different Types of Data
Here’s a breakdown of standard retention guidelines based on common categories of personal data:
| Data Type | Purpose | Typical Retention Period | Additional Notes |
|---|---|---|---|
| Customer Data | Customer service, order history, marketing | Up to 6 years for transactional data; 1–2 years for marketing or inactive accounts | Delete marketing data when consent is withdrawn |
| Employee & HR Records | Payroll, contracts, performance, disciplinary actions | 6 years after employment ends (in line with limitation periods for claims) | Retain longer only if needed for pension schemes or potential health & safety claims |
| Financial & Tax Records | HMRC reporting, VAT, auditing | 6 years minimum (standard tax audit period) | Some VAT records (e.g., under MOSS) may need to be kept for 10 years |
| CCTV & Surveillance Footage | Security monitoring, health & safety evidence | Typically 30 days unless an incident or investigation extends the need | Clear signage must inform individuals of CCTV use |
| Email & Communications | Internal and external business correspondence, contractual discussions | Between 1 and 7 years, depending on sector and data use | Implement policies to auto-delete or archive inactive inboxes regularly |
What Happens If You Hold Data Too Long?
Legal and Regulatory Consequences
In accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, organisations must legally retain personal data only for the duration necessary to fulfill the purpose for which it was collected. Holding on to data beyond this period without valid justification is a direct violation of data protection law—and it can carry serious consequences.
The UK’s data protection authority, the Information Commissioner’s Office (ICO), has the authority to:
-
Investigate suspected breaches of data protection rules
-
Issue warnings and enforcement notices
-
Order the deletion of unlawfully retained data
-
Impose financial penalties for non-compliance
Failure to comply with retention rules may lead to substantial legal and financial consequences, especially if personal data is stored indefinitely or in a manner that creates security vulnerabilities.
High-Profile Enforcement Cases
The ICO has not hesitated to penalise organisations—both large and small—that breach data retention principles. Two notable examples include:
-
British Airways: Fined £20 million for failing to adequately secure personal data, leading to a major data breach. Although not solely about retention, the volume and scope of data held contributed to the impact.
-
Clearview AI: Ordered to delete data unlawfully collected and stored from UK residents and prohibited from further data processing in the UK. This case underscores the importance of data minimisation and lawful retention practices.
These examples show that even global organisations are not immune from regulatory scrutiny when they disregard GDPR principles.
Fines and Enforcement by the ICO
-
-
Fines of up to £17.5 million or 4% of annual global turnover, whichever is higher
-
Mandatory audits of your data handling practices
-
Orders to delete data immediately
-
Public reprimands, which can damage brand reputation and consumer trust
If your organisation is found to be holding personal data without lawful basis or beyond a reasonable retention period, the ICO can impose:
In addition to direct penalties, non-compliance may trigger follow-up investigations, loss of third-party trust, and difficulty securing contracts or certifications.
Reputational and Cybersecurity Risks
Beyond legal consequences, holding unnecessary personal data significantly increases your cybersecurity exposure. The more data you retain, the greater your responsibility to safeguard it—and the larger the potential fallout if it’s exposed in a breach.
Key risks of excessive data retention include:
-
Increased attack surface: Outdated or rarely accessed data is often poorly protected, making it a prime target for hackers
-
Higher cost of a breach: Breaches involving large volumes of data result in more severe consequences, including customer loss, legal action, and insurance claims
-
Public backlash: Customers and clients expect organisations to handle their data responsibly. Retaining data without clear justification can erode trust and loyalty, especially if exposed during a breach or investigation
How to Create a Data Retention Policy
A well-structured data retention policy is essential for ensuring compliance with the UK GDPR and the Data Protection Act 2018. It helps your organisation maintain control over personal data, avoid legal risks, and ensure that information is only kept for as long as it is lawfully necessary.
Setting Retention Schedules by Data Category
Start by building a data retention schedule that outlines how long each type of data will be kept and why. This schedule should be tailored to your specific business operations and legal obligations.
A strong retention policy should clearly identify:
-
Categories of data collected (e.g. customer records, employee files, financial data)
-
Retention periods for each data type, based on legal, contractual, or operational needs
-
Justifications for the chosen timeframes (e.g. HMRC compliance, customer support requirements)
-
Review and deletion timelines to ensure data is not kept beyond its useful or lawful purpose
Example:
Customer order history may be retained for 6 years for tax purposes, while marketing data should be reviewed after 12–24 months of inactivity.
Tools to Automate Data Deletion
Manual data management is time-consuming and error-prone. Fortunately, many contemporary digital platforms come equipped with automated retention and deletion features that aid in complying with the GDPR.
Here are common tools and features you can use:
-
CRM systems: Set rules to automatically delete or archive customer records after a set period of inactivity
-
Cloud storage platforms (like Google Workspace or Microsoft 365): Use retention labels, expiration tags, and data lifecycle rules
-
Project management and email systems: Enable auto-archiving or permanent deletion of messages and attachments beyond a defined age
When and How to Perform Data Reviews
To maintain compliance, it’s crucial to conduct regular reviews of the data you hold. A best practice is to perform a comprehensive data audit annually, although high-risk sectors may require more frequent assessments.
During each review, ensure that you:
-
Evaluate the necessity of all stored data—Is it still being used? Is it still required?
-
Identify and delete or anonymise any data that has exceeded its retention period
-
Update internal documents, such as your privacy notices, employee handbooks, and data retention policy, to reflect any changes
-
Document your actions as part of your compliance record in case of an ICO audit
Table: Common Data Types and Recommended Retention Periods in the UK
|
Data Type |
Recommended Retention Period | Legal Basis / Notes |
| Customer invoices | 6 years |
Required for HMRC recordkeeping |
|
Employee records |
6 years after leaving | Based on Limitation Act and employment law |
| Health and safety records | Up to 40 years |
Required for asbestos or medical claims |
|
Marketing data (opt-in) |
1–2 years (after last contact) | Consent must be refreshed periodically |
| Job application data | 6–12 months |
Unless consent given for longer storage |
|
CCTV footage |
30 days | Unless needed for investigation or legal reasons |
| Backup data | Varies (14–90 days typical) |
Must be justifiable and securely managed |
Conclusion
So, what is the maximum length of time you can hold data for? In the UK, the answer depends on your purpose, your industry, and your legal obligations. But the golden rule remains:
Only keep personal data for as long as it is necessary—and not a day longer.
To stay compliant:
- Create a retention policy
- Use automation to manage deletions
- Regularly review and document your data practices
For more guidance, visit ICO’s official website or consult a GDPR compliance expert.
FAQs
Is There a Universal Maximum Time Limit?
No. GDPR does not define a fixed time limit. The criteria is whether the data is still required for its initial purpose.
Can You Store Data for Historical or Research Purposes?
Yes—but only if the data is anonymized or if you meet specific conditions under GDPR Article 89 for archiving and research.
What About Archived or Backup Data?
You must ensure archived or backed-up data is also subject to retention policies. It must not be a loophole for indefinite storage.
Do Customers Have a Right to Know How Long You Hold Their Data?
Absolutely. Under GDPR, your privacy policy must clearly state:
- The duration for which you retain each data type
- The criteria used to determine that period
- The right to erasure (“right to be forgotten”) of your customers
I’m Adam Milne, a business writer and co-author at UKBusinessMag.co.uk. I’m passionate about simplifying complex topics—whether it’s tax, startup strategy, or digital marketing—so that entrepreneurs can take action with confidence. With years of experience in small business consultancy, I bring a practical perspective to every piece I write, helping readers turn ideas into results.
