Data Retention Policy: A Full Guide and Template

HR reviewing equal opportunities policy

Many rules and regulations surround the use of data. UK law requires companies to have a data retention policy that details how long a company can hold customer information. 

Below is a comprehensive guide which explains data retention policies and provides resources to help you develop your own policy. 

Key Facts 

  • The General Data Protection Regulation (GDPR) and other data laws guide and require companies based in the UK to develop a data retention policy.

  • Companies determine how long they keep different datasets by how useful they are to their operation.

  • An effective retention policy is typically created by a team of people, including legal counsel. 

What Is a Data Retention Policy?

Data retention policies detail which data a business will store, where and how it has stored it and how long the data may remain in storage. Once that time has passed, the policy dictates which data to destroy and what to move to secondary or tertiary storage. 

A data retention policy is required for a company to stay in compliance with the General Data Protection Regulation (GDPR). It is sometimes also called a document retention policy or a records management policy. 

GDPR governs how companies use, collect and store personal information about customers and other people who interact with their company. Personal information is defined as data that can be used to identify a person. It can involve someone’s name, location, race, ethnicity, IP address and many more pieces of information.

Even though GDPR is a policy enacted by the European Union, it still applies to UK-based businesses post-Brexit. This is because the UK passed the Data Protection Act in 2018, which enshrines the EU’s GDPR into UK law.

What Is a Data Retention Period?

A data retention period refers to how long a set of data can be stored on company servers. Typically, different types of data will have varying retention periods. The general rule of thumb is that a company keeps a data set for as long as it’s useful, barring specific instructions dictated by UK law.

Depending on the data type within the dataset, companies either:

  • Delete the data. The company ensures that all copies of a dataset are properly discarded along with any traces of it that might be left on forgotten servers.

  • Anonymise the data. The company moves the dataset from live and backup systems onto a tertiary cloud device.

All Your People Data to Power Decisions

Analytics and Reporting Salary Progression Report

Run custom reports on your entire workforce with Personio.

What Should a Data Retention Policy Include?

Company data retention policies can be simple or complex, but most revolve around three key questions. These questions are:

  • What Types of Data Does Your Policy Cover? Different industries won’t view the same information as equally important. Data collection priorities might even shift between companies. Determining the data that’s important to you will inform the rest of the policy. No matter your industry, though, all UK businesses are responsible for ‘fair, lawful and transparent usage of personal data’.

  • How Long Do You Keep Data? UK law doesn’t set a specific time limit when a company must delete data. Most businesses base the retention period on subjective needs. The more critical the data is to an organisation, the longer it remains in the system.

  • What is Your Data Removal Process? Different types of datasets will usually have varying removal procedures. Less important information is likely deleted and scrubbed from company systems. More crucial data is often sent to secondary servers for archival purposes.

How To Create a Data Retention Policy

The steps to make a comprehensive retention policy can vary from company to company. Still, there are standard instructions that you can use as a foundation to develop a policy that fits your business. 

  1. Decide who will devise the policy. Developing data retention procedures requires the advice of several experts, so teams are usually picked for this task.

  2. Research your company’s legal requirements. These will be the foundation of your policy.

  3. Determine the data type most valuable to the company, which helps you decide how long you’ll retain each variety.

  4. Nominate a department or position within the business that is responsible for enforcing the policy and keeping it up to date.

  5. Develop an internal audit system to help ensure policy compliance.

  6. Determine the frequency of reviewing the data retention policy.

  7. Define the implementation of the data retention policy at a software level.

  8. Write your GDPR data retention policy. 

  9. Present the policy to important stakeholders for their approval and make necessary revisions accordingly.

Manage Personnel Data and Documents Effortlessly

Digital Employee Files on Different Devices

Personio makes data compliance and GDPR regulations simple, with secure digital employee files that keep track of employee data changes with ease. Click below to see it in action for yourself.

How Does a Data Retention Policy Benefit an Organisation?

Your data retention policy isn’t just a regulatory measure; it can benefit your organisation and its bottom line. Some advantages you get from implementing your retention plan are:

  • More Accessible Data. A data retention policy directs the removal of outdated or duplicate records, making the database as a whole easier to navigate.

  • Reduced Storage Costs. Cleaning up the amount of data you have on file minimises the size of your database, requiring less storage.

  • Organised Document Storage Procedures. A data retention policy helps devise a system to organise the data your company produces by prioritising datasets according to their importance to the company. With proper implementation, you’ll always know where your most essential information is.

  • Greater Ability To Recover From Setbacks. An extensive backup and recovery protocol is essential to many data retention policies. Having one in place means critical documentation is protected in the event of a system outage. 

A comprehensive data retention policy that dictates the handling of private information keeps your company in compliance with the GDPR and other data protection laws. Your policy dictates a data filing and deletion system that organises and properly handles all personal information in one place, so stakeholders know which data you have and how it’s used. A retention policy also keeps your files ready and organised for potential disclosure requests. 

Frequently Answered Questions

What Is a GDPR Retention Policy?

A GDPR retention policy is a company’s procedure to store and delete private data as the General Data Protection Regulation dictates. 

What Is the Standard Retention Policy in the UK?

The standard retention policy defines the basic procedure for removing specific data after a set period. 

How Long Should Data Be Kept for GDPR?

The GDPR doesn’t specify how long a company can keep the data it collects, just that any data they possess should be helpful to the company while that information is in their possession.

Is There a Best-Practice Data Retention Policy?

The best practice for data retention is that information should only be kept for as long as it’s helpful in the company.

Streamline Your Data Retention Policy with Personio

At Personio, maintaining your data is incredibly important to us. Data protection and information security are at the core of Personio’s products and services. 

Your data is safe with us, and we can also help you streamline that data, organise it without worry and even generate reports that power better business decision making. 

That’s a big boost to your average HR team. Speak with an expert today to learn more about Personio, how we handle data and how we can help upgrade your people operations.


Secure All Your Employee Data

Digital Employee File