Running a Compliant Business

How Long Should You Keep Records?

A plain-language guide to data retention: how long to keep personal data, how to decide, and how to dispose of it safely.

Beginner 12 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What the retention standard requires
  • How to set sensible retention periods
  • How to dispose of data securely
  • How to build a simple retention schedule

Overview

Keeping personal data is not free. Every record you hold is something you must protect and could lose in a breach. The Act asks you to keep personal data only as long as you genuinely need it. This module explains how to put that into practice.

Why this matters

Old data you no longer need is pure risk. It cannot help your business, but it can still be breached, misused, or requested. Sensible retention reduces that risk and keeps your systems tidy.

What the law says

The fifth standard (within sections 22 to 31) says personal data must not be kept longer than is necessary for the purpose it was collected for. The Act does not give a single number, because the right period depends on the data and the purpose.

Tip. "Necessary" is the key word. If you cannot explain why you still need a record, that is a sign it is time to dispose of it.

How to set retention periods

For each type of data, ask:

  • Why do we hold this, and for how long do we actually need it?
  • Is there a legal, tax, or sector rule that sets a minimum?
  • What is the risk of keeping it versus the cost of deleting it?

Write the answer down as a retention schedule: a simple list of data types and how long you keep each.

Disposing of data securely

When the time comes, dispose of data so it cannot be recovered:

  • delete electronic files and clear them from backups on your schedule
  • shred paper records rather than binning them
  • wipe or destroy storage on old devices before disposal or resale
Watch out. Putting old files in the rubbish or selling an un-wiped laptop is a common cause of breaches. Disposal must be secure.

Common mistakes

  • Keeping everything "just in case".
  • Having no schedule, so nothing is ever deleted.
  • Forgetting that backups and old devices also hold personal data.

Best practices

  • Create a simple retention schedule and follow it.
  • Review retention at least once a year.
  • Make secure disposal a normal habit, not an afterthought.

Put this into practice

Turn your retention review into tracked actions.

Check your compliance

Frequently asked questions

No. Keeping data indefinitely is a risk and goes against the Act. Set retention periods and dispose of data you no longer need.

Key takeaways

  • The fifth standard says do not keep personal data longer than necessary.
  • Set retention periods based on need and any legal requirement.
  • Dispose of data securely, both electronic and paper.
  • A simple retention schedule makes this manageable.

Related

Ask the Privacy Assistant

Beta