Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Policy

Data Retention & Disposal Policy

What we keep, for how long, and how we get rid of it.

GDPR requires you not to keep personal data longer than necessary. This policy sets out how [Company Name] decides retention periods, and how data is securely disposed of.

How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.

Principles

  • We keep data only as long as we have a clear business or legal reason.
  • Retention periods are documented in the Data Map (ROPA).
  • Personal data is reviewed at least annually.
  • Disposal is final and verifiable.

Default retention periods

  • Financial records — 6 years (HMRC).
  • Employee records — 6 years from end of employment.
  • Customer records — 6 years from last transaction.
  • Prospect / marketing data — 2 years from last engagement.
  • Email (general)[e.g. 7 years].
  • CCTV footage — 30 days.
  • Job applications — 12 months after the position is filled.

How disposal works

  • Digital files deleted from primary systems and from backups when the retention period ends.
  • Paper records are shredded.
  • Old hardware is securely wiped or physically destroyed.
  • Cloud accounts are exported, retention-tagged, then deleted.

Subject Access Requests

If a customer or employee asks for their data, [Named Manager] coordinates the response within one month.

Right to be forgotten

Customers can ask us to delete their data. Unless we have a legal reason to keep it, we comply within one month.

Backups

Backups follow their own retention — typically [12 months].

Review

Reviewed annually.

Tips for adoption

  • Tie this directly to your Data Map.
  • The data you don't hold can't be breached.
  • Make a calendar reminder for the annual review.