GDPR requires you not to keep personal data longer than necessary. This policy sets out how [Company Name] decides retention periods, and how data is securely disposed of.
How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.
Principles
- We keep data only as long as we have a clear business or legal reason.
- Retention periods are documented in the Data Map (ROPA).
- Personal data is reviewed at least annually.
- Disposal is final and verifiable.
Default retention periods
- Financial records — 6 years (HMRC).
- Employee records — 6 years from end of employment.
- Customer records — 6 years from last transaction.
- Prospect / marketing data — 2 years from last engagement.
- Email (general) — [e.g. 7 years].
- CCTV footage — 30 days.
- Job applications — 12 months after the position is filled.
How disposal works
- Digital files deleted from primary systems and from backups when the retention period ends.
- Paper records are shredded.
- Old hardware is securely wiped or physically destroyed.
- Cloud accounts are exported, retention-tagged, then deleted.
Subject Access Requests
If a customer or employee asks for their data, [Named Manager] coordinates the response within one month.
Right to be forgotten
Customers can ask us to delete their data. Unless we have a legal reason to keep it, we comply within one month.
Backups
Backups follow their own retention — typically [12 months].
Review
Reviewed annually.
Tips for adoption
- Tie this directly to your Data Map.
- The data you don't hold can't be breached.
- Make a calendar reminder for the annual review.