Data Retention and Secure Deletion Policies
Data that is no longer needed is a liability — it occupies storage, creates GDPR obligations, and increases the impact of a breach. A well-designed data retention policy defines how long different types of data are kept, and ensures it is securely deleted when the retention period expires.
UK GDPR Requirements
The UK GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data is kept no longer than necessary for the purpose for which it was collected. Organisations must define and document retention periods for each category of personal data, and have mechanisms to enforce those periods.
Common Retention Periods
- Customer contact data: Duration of customer relationship + 6 years (limitation period for contract claims)
- Financial transaction records: 6 years (HMRC requirement)
- Employee records: Employment + 6 years
- Marketing data (consent-based): Until consent is withdrawn or marketing communication is sent
- Security logs: 12 months minimum; 3 years for regulated sectors
Secure Deletion
- Database records: Hard delete or anonymisation (replacing personal data with random values) — soft-delete flags do not meet GDPR deletion requirements
- File storage: Cryptographic erasure (deleting the encryption key) or secure overwrite
- Backups: Ensure deletion from backups is planned — the right to erasure applies to backup data
- Third-party processors: Ensure data processors delete data when instructed and provide confirmation
Automated Enforcement
We build automated retention enforcement into systems from the start — scheduled jobs that identify and delete or anonymise data past its retention date, with audit logging of deletions performed.