Skip to main content
Forms Legal

Data Retention Policy (UK)

Data Retention Policy

UK GDPR Article 5(1)(e) & Data Protection Act 2018

This Data Retention Policy is issued by [Company Name], whose registered address is [Company Street], [Company City], [Company Postcode] (the "Company", "we", "us", or "our").

This Policy takes effect on [Policy Date] and was approved on [Approval Date]. It is owned by [Policy Owner] and is the responsibility of [Responsible Person Name], [Responsible Person Title].

1. PURPOSE AND SCOPE

1.1 The purpose of this Data Retention Policy is to ensure that the Company retains personal data and other records for no longer than is necessary for the purposes for which they were collected, in accordance with the storage limitation principle set out in Article 5(1)(e) of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.2 This Policy applies to all personal data and business records held by the Company in any format, including paper records, electronic files, email communications, databases, cloud storage, and backup systems. It applies to all employees, officers, contractors, consultants, and third-party data processors acting on behalf of the Company.

1.3 This Policy establishes minimum and maximum retention periods for each category of record. Records must not be destroyed before the minimum period has elapsed. Records must not be retained beyond the maximum period unless an exception applies (see Section 8).

1.4 This Policy does not override any specific retention period required by applicable law, regulation, or court order, which shall take precedence.

2. LEGAL FRAMEWORK

2.1 This Policy is designed to ensure compliance with the following principal legislation:

  • UK General Data Protection Regulation (UK GDPR), Article 5(1)(e) — storage limitation principle: personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Data Protection Act 2018 — supplementing the UK GDPR with domestic provisions and Schedule 1 conditions for special category processing.
  • Limitation Act 1980 — setting a general 6-year limitation period for simple contract claims (s.5) and 12 years for claims on a deed (s.8), which informs minimum retention periods for commercial records.
  • Companies Act 2006, s.386-388 — requiring companies to keep accounting records for 3 years (private companies) or 6 years (public companies) from the date the records were made.
  • Income Tax (Earnings and Pensions) Act 2003 — requiring retention of PAYE records for at least 3 years (with 6 years recommended per HMRC guidance).
  • Employment Rights Act 1996 — including minimum notice periods, unfair dismissal rights, and the 2-year qualifying period for most employment rights, which informs employment records retention.
  • Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR) — requiring accident records to be retained for 3 years.
  • Control of Substances Hazardous to Health Regulations 2002 (COSHH), regulation 18 — requiring health surveillance records to be retained for 40 years.
  • Value Added Tax Act 1994 and HMRC VAT Notice 700/21 — requiring VAT records to be retained for 6 years.

2.2 The Data Protection Officer ([DPO Name]) is responsible for monitoring changes to applicable legislation and updating this Policy accordingly.

3. DATA RETENTION SCHEDULE

3.1 The following retention schedule sets out the maximum period for which each category of personal data and business record will be retained. At the end of the retention period, records will be securely destroyed in accordance with Section 4 of this Policy.

3.2 Employment Records — Personnel files (including employment contracts, job descriptions, appraisal records, absence records, and correspondence): [Employee Records Retention]. Legal basis: Limitation Act 1980 s.5 (contractual claims); Employment Rights Act 1996 (unfair dismissal limitation period of 3 months from effective date of termination, extended to 6 months in certain circumstances).

3.3 Payroll and PAYE Records — Pay slips, PAYE deductions, National Insurance contributions, P11D forms, statutory sick pay and statutory maternity pay records: [Payroll Retention]. Legal basis: Income Tax (Earnings and Pensions) Act 2003; HMRC PAYE: end of year guide; Limitation Act 1980 s.5.

3.4 Recruitment Records — Application forms, CVs, interview notes, assessment results, and reference letters for unsuccessful candidates: [Recruitment Retention] from the date of the rejection decision. Legal basis: ICO Employment Practices Code; Equality Act 2010 (Employment Tribunal claims must generally be brought within 3 months).

3.5 Health and Safety Records — Accident book entries, RIDDOR reports, COSHH health surveillance records, risk assessments, and safety training records: [Health Safety Retention]. Legal basis: RIDDOR 2013 (3 years for most records); COSHH Regulations 2002, regulation 18 (40 years for health surveillance records relating to identified workers).

3.6 CCTV Footage — Footage from cameras installed on Company premises: [CCTV Retention] from the date of recording, unless an identified incident requires extended retention for investigatory or legal purposes, in which case footage relating to that incident will be retained until the matter is resolved plus 6 years. Legal basis: ICO CCTV Code of Practice; UK GDPR Article 5(1)(e).

3.7 Customer and Client Records — Contact details, purchase history, correspondence, complaints, and service records: [Customer Retention]. Legal basis: Limitation Act 1980 s.5 (6 years for contractual claims); Consumer Rights Act 2015.

3.8 Commercial Contracts — Signed contracts, amendments, and associated correspondence: [Contract Retention] from the date of expiry or termination. Legal basis: Limitation Act 1980 s.5 (simple contracts: 6 years); s.8 (deeds: 12 years — retain deed-based contracts for 12 years after expiry).

3.9 Financial and Accounting Records — Ledgers, invoices, receipts, bank statements, expense claims, VAT records, and audit trails: [Financial Retention]. Legal basis: Companies Act 2006 s.388 (3 years for private companies, 6 years for public companies); HMRC VAT Notice 700/21 (6 years); Limitation Act 1980 s.5.

3.10 All retention periods begin on the date of the last relevant event (for example, the termination date for employee records, the date of the last transaction for customer records, or the expiry date for contract records).

4. SECURE DESTRUCTION PROCEDURES

4.1 At the end of the applicable retention period, records must be destroyed securely to prevent unauthorised access or disclosure. The Company uses the following method of destruction: [Destruction Method].

4.2 Paper Records — Confidential paper documents must be cross-cut shredded (producing particles of no more than 6mm x 15mm or strips of no more than 6mm wide, meeting DIN 66399 security level P-4 or higher) or placed in a locked confidential waste bin for collection and destruction by an approved contractor.

4.3 Electronic Records — Electronic records must be permanently deleted using an approved secure deletion method that overwrites all data and prevents recovery. Where storage media (hard drives, USB drives, CDs, DVDs) are to be decommissioned or disposed of, they must be physically destroyed or subjected to certified degaussing before disposal. Deletion from the recycle bin or formatting a drive does not constitute secure deletion for the purposes of this Policy.

4.4 Cloud and Third-Party Storage — Where records are held by a third-party data processor, the responsible person must instruct the processor in writing to delete the records at the end of the retention period, in accordance with the data processing agreement in place. A certificate of deletion should be obtained where available.

4.5 Destruction Log — A destruction log must be maintained recording: the description of the records destroyed, the retention category, the date of destruction, the method of destruction, and the name of the person who authorised and carried out the destruction. The destruction log is itself retained for 6 years.

5. RESPONSIBILITIES

5.1 The Data Protection Officer ([DPO Name]) is responsible for: maintaining and updating this Policy; providing training and guidance to staff on data retention obligations; conducting periodic audits of data holdings; and reporting material non-compliance to senior management.

5.2 [Responsible Person Name] ([Responsible Person Title]) is the designated Responsible Person for day-to-day implementation of this Policy and for overseeing the annual retention review process.

5.3 All employees and contractors are responsible for: managing records in accordance with this Policy; not retaining personal data beyond the periods set out in the retention schedule; reporting suspected breaches of this Policy to the Data Protection Officer; and co-operating with retention audits conducted by the Data Protection Officer.

5.4 Heads of department are responsible for ensuring that their teams are aware of and comply with this Policy, and for identifying any categories of records not addressed in the Schedule that require a retention decision.

6. EXCEPTIONS AND LEGAL HOLDS

6.1 Records subject to a Legal Hold must not be destroyed even if the standard retention period has expired. A Legal Hold is triggered by any of the following: notice of a legal claim or threatened claim; commencement of formal legal proceedings; receipt of a Subject Access Request under UK GDPR Article 15; an ICO investigation or enforcement action; or a regulatory investigation by any competent authority.

6.2 When a Legal Hold is in place, the Data Protection Officer will notify the relevant departments and individuals, and will identify and preserve the specific records subject to the hold. The Legal Hold will remain in place until the matter is fully resolved, after which the records will be reviewed and destroyed in accordance with this Policy.

6.3 Where a record falls under two or more retention categories, the longer retention period applies.

6.4 Where the Company enters into a merger, acquisition, or business sale, data retained in connection with the transaction may be retained for the applicable limitation period for warranty claims (typically 1 to 3 years from completion of the transaction), notwithstanding the standard schedule.

7. REVIEW AND AUDIT

7.1 This Policy will be reviewed [Review Frequency] by the Data Protection Officer, or sooner if required by a material change in applicable law, ICO guidance, or the Company's processing activities.

7.2 The Data Protection Officer will conduct an annual audit of data holdings across the Company to verify that records are being retained and destroyed in accordance with this Policy. The results of the audit will be documented and reported to the Board of Directors (or equivalent governing body).

7.3 The audit will identify any records held beyond their retention period and ensure they are promptly destroyed; any new categories of records not currently covered by the Schedule; any changes in processing activities that require amendment to the Schedule; and any third-party data processors who are not complying with agreed retention and destruction obligations.

8. BREACH OF THIS POLICY

8.1 Failure to comply with this Policy may result in: a personal data breach requiring notification to the ICO under UK GDPR Article 33; ICO enforcement action and fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) under section 157 of the Data Protection Act 2018; civil liability to affected data subjects under section 169 of the Data Protection Act 2018; and reputational damage to the Company.

8.2 Deliberate breach of this Policy — including the unauthorised destruction of records before the minimum retention period has elapsed, or the wilful retention of personal data beyond the maximum retention period — may result in disciplinary action up to and including summary dismissal.

8.3 Any suspected breach of this Policy must be reported to the Data Protection Officer immediately.

9. APPROVAL AND VERSION CONTROL

9.1 This Data Retention Policy was approved on [Approval Date] and takes effect on [Policy Date].

9.2 This Policy supersedes any previous data retention policy issued by the Company.

9.3 This Policy is governed by and construed in accordance with the laws of England and Wales.

Approved on behalf of [Company Name]

Approving Director

[Responsible Person Name]

Signature

Date: ________________

Data Protection Officer

[DPO Name]

Signature

Date: ________________

Maintained by Vladislav Sergienko, Founder·Template last modified: ·Report an error

What Is a Data Retention Policy (UK)?

A Data Retention Policy in the United Kingdom sets out the standards, responsibilities, and procedures the organisation expects everyone to follow, and is governed by the Companies Act 2006.

The UK GDPR was retained in UK domestic law following the United Kingdom’s departure from the European Union, by virtue of the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 5(1)(e) of the UK GDPR establishes the storage limitation principle, which provides that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This principle sits alongside the accountability principle in Article 5(2), which requires data controllers to be able to demonstrate compliance with all of the data protection principles, including storage limitation.

A Data Retention Policy translates these legal obligations into a practical, operational framework. It identifies each category of personal data and business record held by the organisation, assigns a maximum retention period to each category based on the applicable legal requirements and legitimate business needs, specifies the method by which data will be securely destroyed at the end of the retention period, and establishes a governance structure for monitoring compliance. The policy should cross-reference the specific legal provisions that determine or inform the retention period for each category of data — including the Companies Act 2006 (which requires accounting records to be retained for 3 or 6 years depending on the company type), the Income Tax (Earnings and Pensions) Act 2003 (which requires PAYE records to be retained for at least 3 years), the Limitation Act 1980 (which sets a 6-year limitation period for contractual claims and 12 years for claims on a deed), the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (which requires accident records to be retained for 3 years), and the Control of Substances Hazardous to Health Regulations 2002 (which requires health surveillance records to be retained for 40 years).

The Information Commissioner’s Office (ICO) — the UK’s independent supervisory authority for data protection — has consistently emphasised the importance of documented retention schedules as a core element of UK GDPR accountability. The ICO’s guidance on accountability and governance states that controllers should establish clear retention periods, build these into their data processing systems, and conduct regular reviews to confirm that data is not held for longer than necessary.

When Do You Need a Data Retention Policy (UK)?

A Data Retention Policy is needed by every organisation in England and Wales that processes personal data as a data controller under the UK GDPR. The policy should be established and documented before the organisation begins processing personal data in earnest, and should be treated as a foundational governance document that sits alongside the organisation’s privacy policy, data processing agreements, and Records of Processing Activities (ROPA) under Article 30.

The policy is particularly important when an organisation is setting up its data protection compliance framework for the first time — for example, when a new business is incorporated, when an existing business begins processing significant volumes of personal data, or when an organisation is preparing for an ICO audit or responding to an ICO investigation. The ICO’s accountability framework requires controllers to be able to demonstrate that they have systematically considered how long they need to retain each category of data and have documented their retention decisions with reference to the applicable legal requirements.

A Data Retention Policy becomes critical during data subject access requests under UK GDPR Article 15. When an individual exercises their right of access, the controller must search its records and provide a copy of the personal data held. If the controller has retained data beyond the period justified by the retention policy, it faces the risk of disclosing data that should already have been destroyed — which may itself constitute a breach of the storage limitation principle. Conversely, if the controller has destroyed data prematurely, it may be unable to comply with legal obligations that required the data to be retained.

The policy is also essential when responding to litigation or regulatory investigations. Under the Civil Procedure Rules (CPR Part 31), parties to litigation in England and Wales have a duty to disclose documents that are relevant to the issues in dispute. This duty arises as soon as litigation is reasonably contemplated, and the deliberate destruction of potentially relevant documents can result in adverse inferences, costs penalties, or contempt of court. A well-drafted Data Retention Policy with clear legal hold provisions confirms that the organisation can impose a preservation notice quickly and effectively when litigation is anticipated.

Organisations should review and update their Data Retention Policy at least annually, or whenever there is a material change in their processing activities, the legal environment, or ICO guidance. Common triggers for review include the introduction of new data processing systems, changes in applicable legislation, the engagement of new third-party data processors, organisational restructuring or mergers, and the findings of internal data protection audits.

What to Include in Your Data Retention Policy (UK)

A well-drafted Data Retention Policy for England and Wales should contain several key elements that together demonstrate compliance with the UK GDPR storage limitation and accountability principles.

Purpose and Scope — The policy should clearly state its objective (to confirm personal data is not retained longer than necessary in compliance with UK GDPR Article 5(1)(e)) and its scope (all personal data and business records held by the organisation in any format, including paper, electronic, email, cloud storage, and backup systems). It should specify that the policy applies to all employees, officers, contractors, and third-party processors.

Legal Framework — A summary of the principal legislation underpinning the policy, including the UK GDPR, Data Protection Act 2018, Companies Act 2006, Income Tax (Earnings and Pensions) Act 2003, Limitation Act 1980, RIDDOR 2013, COSHH Regulations 2002, and any sector-specific legislation. This section demonstrates to the ICO that the organisation has identified and considered all applicable legal retention obligations.

Retention Schedule — The core of the policy: a detailed schedule that lists each category of personal data and business record, the applicable retention period, the date from which the retention period begins (for example, the date of termination of employment for employee records, or the date of the last transaction for customer records), and the legal basis or business justification for the retention period chosen. Categories should include at minimum employee records, payroll and PAYE records, recruitment records, health and safety records, CCTV footage, customer and client records, commercial contracts, financial and accounting records, and IT system logs.

Secure Destruction Procedures — A description of the methods used to destroy data securely at the end of the retention period, covering paper records (cross-cut shredding to DIN 66399 P-4 standard or incineration), electronic records (secure overwrite or physical destruction of media), and cloud-stored data (written instruction to the processor with certificate of deletion). The policy should require a destruction log recording what was destroyed, when, how, and by whom.

Responsibilities — Clear allocation of responsibilities, typically including the Data Protection Officer (overall oversight and policy maintenance), the responsible person for day-to-day implementation, heads of department (confirming team compliance), and all employees and contractors (managing records in accordance with the policy and reporting suspected breaches).

Legal Hold Provisions — Procedures for suspending normal destruction when records may be relevant to anticipated or actual legal proceedings, ICO investigations, or Subject Access Requests. The policy should define the triggers for a legal hold, the process for communicating the hold, and the procedure for lifting it when the matter is resolved.

Review and Audit — A commitment to review the policy at a specified frequency (annually is standard) and to conduct periodic audits of data holdings to verify compliance. Audit results should be documented and reported to senior management or the board.

Breach Consequences — A statement of the consequences of non-compliance, both for the organisation (ICO fines of up to 17.5 million pounds or 4 percent of global annual turnover under section 157 of the Data Protection Act 2018) and for individual employees (disciplinary action). The forms-legal.com Data Retention Policy (UK) template covers the mandatory elements under Companies Act 2006.

Sources & Citations

Statutory citations link to official government sources.

  1. GDPR Article 15EU – GDPR
  2. GDPR Article 5EU – GDPR

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Data Retention Policy (UK) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/business/policies/data-retention-policy-uk-gdpr

MLA

"Data Retention Policy (UK) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/business/policies/data-retention-policy-uk-gdpr.

BibTeX
@misc{formslegal-data-retention-policy-uk-gdpr,
  author       = {{Forms Legal}},
  title        = {Data Retention Policy (UK) (United Kingdom)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/uk/business/policies/data-retention-policy-uk-gdpr}},
  note         = {Free legal document template. Based on Companies Act 2006}
}

Also available for these jurisdictions:

United StatesUnited StatesCanadaCanadaAustraliaAustraliaHong KongHong KongIrelandIrelandNew ZealandNew ZealandSingaporeSingapore

Frequently Asked Questions

Based on Companies Act 2006 — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know

Related Documents

You may also find these documents useful:

Employee Privacy Notice — UK GDPR (England & Wales)

Create a legally compliant Employee Privacy Notice for England and Wales that satisfies the mandatory transparency obligations under UK GDPR Articles 13 and 14 and the Data Protection Act 2018. This template covers all required disclosures: data controller identity, DPO contact details, categories of employee data collected, lawful basis for processing (including Article 6 and Article 9 conditions), special category data handling, data sharing with third parties, international transfer safeguards using the UK IDTA, retention periods aligned with HMRC and Employment Rights Act 1996 requirements, automated decision-making disclosure, full data subject rights, and the right to complain to the ICO. Compliant with the ICO Employment Practices Code. Download as PDF or Word.

Data Processing Agreement — UK GDPR (England & Wales)

Create a Data Processing Agreement (DPA) fully compliant with UK GDPR Article 28 and the Data Protection Act 2018 for England and Wales. This template covers all mandatory Article 28(3) processor obligations, ICO registration, sub-processor authorisation with prior notice, UK IDTA provisions for international transfers outside the UK, technical and organisational security measures under Article 32, personal data breach notification timelines, data subject rights assistance, DPIA support, audit rights with advance notice, and data deletion or return obligations. Includes controller ICO registration details, special category data provisions, and automatic termination with the principal services agreement. Governing law: England and Wales. Download as PDF or Word.

Privacy Policy (UK)

Create a detailed UK Privacy Policy compliant with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. This template covers data controller identification, ICO registration, lawful bases for processing, data subject rights, cookies under PECR, international data transfers, data retention, and breach notification. Suitable for websites, apps, and online services operating in England and Wales. Fill in your organisation's details, preview in real time, and download as PDF or Word.

GDPR Data Breach Notification Form (England & Wales)

Create a detailed UK GDPR Data Breach Notification Form compliant with Articles 33 and 34 of the UK General Data Protection Regulation and Section 108 of the Data Protection Act 2018. This template covers mandatory ICO notification within the 72-hour window, data subject communication obligations, breach classification (confidentiality, integrity, availability), categories of personal data affected, scale assessment, risk evaluation, remediation measures, and cross-border supervisory authority notifications under the NIS Regulations 2018. Suitable for data controllers of all sizes operating in England and Wales. Download as PDF or Word.

Employee Non-Disclosure Agreement (England & Wales)

Protect your business's confidential information and trade secrets with an Employee NDA drafted for England and Wales. Unlike a general commercial NDA, an employee-specific confidentiality agreement addresses the unique legal obligations that arise in the employment relationship — including mandatory whistleblowing carve-outs under the Public Interest Disclosure Act 1998, compliance with the Victims and Prisoners Act 2024, and alignment with the Trade Secrets (Enforcement, etc.) Regulations 2018. Our template ensures your confidential information is protected both during and after employment while fully respecting the employee's statutory rights.