A Data Retention Policy is a formal internal document that sets out how long an organisation retains different categories of personal data and business records, and the procedures for securely destroying data when it is no longer needed. In England and Wales, the obligation to establish and maintain a data retention framework arises from the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, which together form the primary data protection legislation applicable to all organisations processing personal data in the United Kingdom.

The UK GDPR was retained in UK domestic law following the United Kingdom’s departure from the European Union, by virtue of the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 5(1)(e) of the UK GDPR establishes the storage limitation principle, which provides that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This principle sits alongside the accountability principle in Article 5(2), which requires data controllers to be able to demonstrate compliance with all of the data protection principles, including storage limitation.

A Data Retention Policy translates these legal obligations into a practical, operational framework. It identifies each category of personal data and business record held by the organisation, assigns a maximum retention period to each category based on the applicable legal requirements and legitimate business needs, specifies the method by which data will be securely destroyed at the end of the retention period, and establishes a governance structure for monitoring compliance. The policy should cross-reference the specific legal provisions that determine or inform the retention period for each category of data — including the Companies Act 2006 (which requires accounting records to be retained for 3 or 6 years depending on the company type), the Income Tax (Earnings and Pensions) Act 2003 (which requires PAYE records to be retained for at least 3 years), the Limitation Act 1980 (which sets a 6-year limitation period for contractual claims and 12 years for claims on a deed), the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (which requires accident records to be retained for 3 years), and the Control of Substances Hazardous to Health Regulations 2002 (which requires health surveillance records to be retained for 40 years).

The Information Commissioner’s Office (ICO) — the UK’s independent supervisory authority for data protection — has consistently emphasised the importance of documented retention schedules as a core element of UK GDPR accountability. The ICO’s guidance on accountability and governance states that controllers should establish clear retention periods, build these into their data processing systems, and conduct regular reviews to ensure that data is not held for longer than necessary.

A Data Retention Policy is needed by every organisation in England and Wales that processes personal data as a data controller under the UK GDPR. The policy should be established and documented before the organisation begins processing personal data in earnest, and should be treated as a foundational governance document that sits alongside the organisation’s privacy policy, data processing agreements, and Records of Processing Activities (ROPA) under Article 30.

The policy is particularly important when an organisation is setting up its data protection compliance framework for the first time — for example, when a new business is incorporated, when an existing business begins processing significant volumes of personal data, or when an organisation is preparing for an ICO audit or responding to an ICO investigation. The ICO’s accountability framework requires controllers to be able to demonstrate that they have systematically considered how long they need to retain each category of data and have documented their retention decisions with reference to the applicable legal requirements.

A Data Retention Policy becomes critical during data subject access requests under UK GDPR Article 15. When an individual exercises their right of access, the controller must search its records and provide a copy of the personal data held. If the controller has retained data beyond the period justified by the retention policy, it faces the risk of disclosing data that should already have been destroyed — which may itself constitute a breach of the storage limitation principle. Conversely, if the controller has destroyed data prematurely, it may be unable to comply with legal obligations that required the data to be retained.

The policy is also essential when responding to litigation or regulatory investigations. Under the Civil Procedure Rules (CPR Part 31), parties to litigation in England and Wales have a duty to disclose documents that are relevant to the issues in dispute. This duty arises as soon as litigation is reasonably contemplated, and the deliberate destruction of potentially relevant documents can result in adverse inferences, costs penalties, or contempt of court. A well-drafted Data Retention Policy with clear legal hold provisions ensures that the organisation can impose a preservation notice quickly and effectively when litigation is anticipated.

Organisations should review and update their Data Retention Policy at least annually, or whenever there is a material change in their processing activities, the legal landscape, or ICO guidance. Common triggers for review include the introduction of new data processing systems, changes in applicable legislation, the engagement of new third-party data processors, organisational restructuring or mergers, and the findings of internal data protection audits.

A well-drafted Data Retention Policy for England and Wales should contain several key elements that together demonstrate compliance with the UK GDPR storage limitation and accountability principles.

Purpose and Scope — The policy should clearly state its objective (to ensure personal data is not retained longer than necessary in compliance with UK GDPR Article 5(1)(e)) and its scope (all personal data and business records held by the organisation in any format, including paper, electronic, email, cloud storage, and backup systems). It should specify that the policy applies to all employees, officers, contractors, and third-party processors.

Legal Framework — A summary of the principal legislation underpinning the policy, including the UK GDPR, Data Protection Act 2018, Companies Act 2006, Income Tax (Earnings and Pensions) Act 2003, Limitation Act 1980, RIDDOR 2013, COSHH Regulations 2002, and any sector-specific legislation. This section demonstrates to the ICO that the organisation has identified and considered all applicable legal retention obligations.

Retention Schedule — The core of the policy: a detailed schedule that lists each category of personal data and business record, the applicable retention period, the date from which the retention period begins (for example, the date of termination of employment for employee records, or the date of the last transaction for customer records), and the legal basis or business justification for the retention period chosen. Categories should include at minimum employee records, payroll and PAYE records, recruitment records, health and safety records, CCTV footage, customer and client records, commercial contracts, financial and accounting records, and IT system logs.

Secure Destruction Procedures — A description of the methods used to destroy data securely at the end of the retention period, covering paper records (cross-cut shredding to DIN 66399 P-4 standard or incineration), electronic records (secure overwrite or physical destruction of media), and cloud-stored data (written instruction to the processor with certificate of deletion). The policy should require a destruction log recording what was destroyed, when, how, and by whom.

Responsibilities — Clear allocation of responsibilities, typically including the Data Protection Officer (overall oversight and policy maintenance), the responsible person for day-to-day implementation, heads of department (ensuring team compliance), and all employees and contractors (managing records in accordance with the policy and reporting suspected breaches).

Legal Hold Provisions — Procedures for suspending normal destruction when records may be relevant to anticipated or actual legal proceedings, ICO investigations, or Subject Access Requests. The policy should define the triggers for a legal hold, the process for communicating the hold, and the procedure for lifting it when the matter is resolved.

Review and Audit — A commitment to review the policy at a specified frequency (annually is standard) and to conduct periodic audits of data holdings to verify compliance. Audit results should be documented and reported to senior management or the board.

Breach Consequences — A statement of the consequences of non-compliance, both for the organisation (ICO fines of up to 17.5 million pounds or 4 percent of global annual turnover under section 157 of the Data Protection Act 2018) and for individual employees (disciplinary action).