https://www.computerweekly.com/feature/Data-retention-in-the-UK-How-long-should-you-keep-data
It is an oft-asked question: “How long should we keep this data?” But the answer – in the UK at least – is not as clear cut as you might imagine.
Often the core principle that dictates retention period compliance is all about what can be reasonably justified - and that you have carefully decided and written down as policy how long you must keep data for, based on a reasonable assessment of the purpose of its processing and retention.
That said, there are recommendations for retention periods for many types of data, based on law and regulation in particular industry sectors.
What are the key laws and regulations in the UK that dictate data retention periods and the recommendations that affect data retention? Here, we look at the key elements of data retention policy, how software tools can help, and who supplies them.
UK organisations’ data compliance is governed by numerous laws and regulations.
Core to these are the UK equivalent of GDPR, as enacted by the Data Protection Act (2018), and guidance and directives from the Information Commissioners Office (ICO).
Beyond that, there is company law, employment law, health and safety law and so on, all of which come with requirements about data retention.
It’s hard to overstate the importance of the Data Protection Act to data protection and retention practices in the UK - but, importantly, it does not specify precise retention periods.
Having said that, the core requirement is that organisations must establish reasonable policies and schedules around each category of data they process.
So, for each category they must show:
And while reasonable, documented practices around processing and retention are key, numerous recommendations for how long to keep data do exist.
Common recommendations include:
NHS guidance specifies eight years after conclusion of treatment or the patient’s death for adult hospital records, 10 years for GP records, and 25 years after the birth of the last child for maternity records.
In financial services, the Financial Conduct Authority says records must be kept for five years from their creation, while anti-money laundering law specifies five or 10 years of business transaction data be kept.
For personal data, in any category of sensitive data - even for archiving for research or historical purposes - the guidance is all about what can be reasonably justified, that policies and review procedures exist and that appropriate levels of caution are applied.
The key action organisations need to undertake is to create a data retention policy that lists:
Numerous software tools exist that can build on an organisation’s data policy to help track and manage data, and alert staff and leadership about decisions that need to be made.
Key functionality in tools that can help with data retention include:
It’s clear these functions map more broadly onto data management in general, so it’s likely you will want them to integrate with systems like document management, email archives, file servers, possibly even a physical records inventory.
Metadata support is a useful area of functionality that can help you know what data you hold, where it is, how long it’s been kept, its risk classification, and so on.
Cleardox AMS by ClearData Group manages archived records with automated destruction notifications when retention dates expire.
iGMapware is a software-as-a-service application aimed at records, data retention and metadata management that can help create retention schedules, map information assets and govern when data should be disposed of.
Iron Mountain’s Retention Policy Management Platform helps organisations manage retention and privacy obligations, implement schedules and ensure data is disposed of when no longer needed.
Zebsoft compliance management software is a UK-based platform that helps organisations map personal data, define retention periods, manage policy, consents, and subject access requests that includes workflows and audit trails around retention and deletion.
17 Nov 2025