Data Retention & Disposal Policy

• We keep data only as long as we have a clear business or legal reason.
• Retention periods are documented in the Data Map (ROPA).
• Personal data, in particular, is reviewed at least annually.
• Disposal is final and verifiable — not just “moved to archive and forgotten.”

• Financial records — 6 years (HMRC requirement).
• Employee records — 6 years from end of employment.
• Customer records — 6 years from last transaction, or until the customer asks for deletion.
• Prospect / marketing data — 2 years from last engagement.
• Email (general) — [e.g. 7 years] using Microsoft 365 retention policy.
• CCTV footage — 30 days, longer only if needed for an incident.
• Job applications — 12 months after the position is filled, unless the candidate consents to longer.

• Digital files are deleted from primary systems and from backups when the retention period ends. (Backups have their own retention — agreed with the IT supplier.)
• Paper records are shredded, not binned.
• Old hardware is securely wiped (disk encryption + factory reset, or physical destruction for storage that may contain sensitive data) before disposal.
• Cloud accounts are exported, retention-tagged, then deleted.

If a customer or employee asks for their data, [Named Manager] coordinates the response within one month. See the glossary entry on DSARs.

Customers can ask us to delete their data. Unless we have a legal reason to keep it (e.g. tax records), we comply within one month.

Backups follow their own retention — typically [12 months]. This is documented and agreed with the IT supplier. Deleted data may persist in backups until those backups age out.

Reviewed annually, or when a new regulation or contract requires a change.