UK GDPR Data Retention Periods: How Long to Keep Data

The storage limitation principle in UK GDPR Article 5(1)(e) requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it was collected. Two obligations follow: every processing activity needs a defined retention period, and the controller has to actually delete or anonymise the data when that period expires.

This guide covers UK-specific retention periods by data category, the HMRC 6-year rule and how it interacts with UK GDPR, FCA obligations under SYSC 9, the Limitation Act 1980 in a retention context, and what the ICO expects during inspections. If you want to check whether your privacy notice already states a retention period (required by UK GDPR Article 13(2)(a)), run a free TrustYourWebsite scan before reading on.

Quick reference: UK statutory retention periods

This table covers the most common fixed periods UK SMBs need to schedule. Sector-specific rules may extend some categories further.

The Limitation Act 1980 periods are particularly relevant to retention decisions: once the window for a claim closes, there is no legal-obligation basis to keep identifiable data beyond that point.

The storage limitation principle

UK GDPR Article 5(1)(e) was retained from EU GDPR at the end of the Brexit transition on 31 December 2020 and sits within the Data Protection Act 2018. It reads:

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Two operational principles follow:

1. No identifiable data without a current purpose. Data with no current processing purpose must be deleted or anonymised, even if it might be useful later.
2. Long-term storage is permitted only for archiving, research and statistics, and only with the safeguards in Article 89(1).

UK GDPR Article 5(2) adds the accountability principle: the controller must be able to demonstrate compliance. In practice, this means documented retention periods per activity, a deletion schedule that actually runs, and evidence that it ran.

Post-Brexit, the ICO enforces UK GDPR independently from EU supervisory authorities. The ICO's storage limitation guidance confirms it treats indefinite retention as a standalone Article 5 violation, not merely an aggravating factor in a wider breach.

How UK retention rules stack: HMRC vs ICO

Three constraints stack on top of each other for any given processing activity.

The final retention period is the longer of layer 1 and layer 2, until layer 3 forces deletion when both expire.

Worked example: a UK online shop invoice

A customer buys from a UK e-commerce site. The invoice contains their name, delivery address, email and order details.

• Consumer protection period: Under Consumer Rights Act 2015 section 19, goods must conform to contract. The Limitation Act 1980 section 5 gives a customer 6 years to bring a contract claim. Keeping invoice records for 6 years from the transaction date covers this.
• HMRC obligation: HMRC's record-keeping rules under Schedule 18 Finance Act 1998 require VAT-registered businesses and companies to retain accounting and VAT records for 6 years from the end of the accounting period. The HMRC period runs from a different start date than the Limitation Act period, so check which expires later.
• UK GDPR outcome: The invoice retention period is 6 years from the relevant HMRC accounting period end. After both the HMRC period and the Limitation Act window close, UK GDPR Article 5(1)(e) applies and the identifiable data must be deleted or anonymised.

This is different from the EU position. Before Brexit the UK shared multi-country EU figures. UK businesses now apply HMRC's 6-year rule and the Limitation Act 1980, not the varied member-state periods (7 years in Germany and France, 10 years in Belgium).

Retention periods by data category: UK focus

Customer and order data

Employee and HR data

Marketing data

Website and analytics data

HMRC vs ICO: which rule wins?

Neither overrides the other. They apply to different questions.

HMRC requires retention for its own audit purposes. UK GDPR permits that retention while the HMRC period runs, under Article 6(1)(c). Once the HMRC period expires, HMRC's basis for requiring retention ends. At that point UK GDPR Article 5(1)(e) takes over and requires deletion unless a separate purpose continues to apply.

A common mistake is treating the HMRC period as a blanket authorisation to keep all customer data for 6 years. HMRC's 6-year rule covers accounting and VAT records. It does not authorise retaining the customer's IP address, browsing history or marketing consent preference for the same period. Each data category has its own analysis.

The ICO confirms this position in its storage limitation guidance: a legal obligation that requires retention of certain records does not extend to all personal data collected from the same individual.

FCA SYSC 9 and financial services records

Businesses regulated by the FCA face an additional layer. FCA SYSC 9.1 (FCA Handbook) requires a regulated firm to retain records of its business and internal organisation for a minimum of 5 years. Specific FCA modules extend this: MiFID II transaction records are 7 years, CASS client money records are 5 years from the end of the relationship.

FCA records retention feeds into UK GDPR Article 6(1)(c) in the same way as HMRC retention: the FCA period is the minimum, after which UK GDPR Article 5(1)(e) applies.

ICO enforcement under UK GDPR

The ICO's enforcement powers were aligned with EU GDPR levels by the Data (Use and Access) Act 2025. The maximum penalty is now up to GBP 17.5 million or 4% of global annual turnover, whichever is higher. The ICO also retains lower-tier fines of up to GBP 8.7 million or 2% of global turnover for procedural violations.

For UK SMBs, the realistic enforcement risk is not the headline fine. The ICO more commonly issues reprimands and enforcement notices requiring a controller to implement a compliant retention schedule within a fixed period. Reprimands are published on the ICO's register and are searchable by name.

Do not state a specific ICO fine for a retention violation without a primary-source link. The ICO's published penalty notices are at ico.org.uk/action-weve-taken/enforcement/.

Ending retention: options compared

For most UK SMBs, true anonymisation of user-level data is not technically feasible. Deletion is the default.

A complication for deletion: removing data from backups is not instant. EDPB (now adopted by the ICO) allows controllers to wait for the backup rotation cycle to complete, provided the data is not restored to production in the meantime. Document the rotation cycle.

How to implement a deletion schedule

Set up the deletion mechanism

For structured data in a database, a scheduled job that applies the retention rule per table is the right level. Examples for a UK e-commerce site:

• customers table: rows with last_activity < NOW() - INTERVAL '2 years' and account_status = 'inactive' deleted weekly
• orders table: rows where invoice_date < NOW() - INTERVAL '6 years' deleted monthly
• web_sessions table: rows where created_at < NOW() - INTERVAL '90 days' deleted daily

For unstructured data (uploaded files, document storage), a lifecycle policy at the storage layer expires objects after the retention period.

The free TrustYourWebsite scan flags pages where your privacy notice does not state a retention period or criteria, as required by UK GDPR Article 13(2)(a). It does not access your database, but it checks the public-facing notice for compliance with the disclosure obligation.

Platforms without a developer

Not every UK small business runs a custom database. For common platforms:

• Shopify: use the customer data export under Settings > Data privacy, then delete accounts manually or via the bulk delete option. Shopify's own data retention FAQ confirms they delete shop data 90 days after subscription cancellation.
• WooCommerce / WordPress: the WooCommerce GDPR tools under WooCommerce > Settings > Accounts and Privacy include a personal data removal request workflow. Schedule a quarterly review of inactive accounts.
• Squarespace: Squarespace's data export tool is under Settings > Advanced > Export. Customer records from the Commerce section can be exported and deleted from the Forms and Customers panel.
• Mailchimp: use the Mailchimp audience cleanup tool to suppress or archive contacts who have not opened or clicked in 24 months. Export the archive before deletion if you need an audit trail.

Audit the deletion mechanism

Log each deletion run: how many records were reviewed, how many were deleted, any failures. The log is the evidence for accountability. A consistent monthly log is more persuasive in an ICO inspection than a written policy with no execution trail.

Connect retention to the Article 30 record

Each row in your Article 30 record of processing should name a retention period. The period in the register must match the period executed in the data layer. Drift between register and actual schedule is itself a finding during an ICO audit.

For the broader compliance context, the UK GDPR compliance checklist covers the other controls that surround the retention regime.

Common mistakes

"As long as necessary" without a number. UK GDPR Articles 13(2)(a) and 14(2)(a) require either the period or the criteria. "As long as necessary" by itself is neither.

Using HMRC's 6 years for all customer data. HMRC's rule applies to accounting and VAT records. It does not authorise retaining browsing history, marketing preferences or IP addresses for the same period.

Treating backups as separate from active data. A backup is a copy of personal data. If active data is deleted but the backup runs for 10 years, the personal data has not been deleted. Backup rotation must align with the retention schedule.

Ignoring the Limitation Act 1980. The 6-year contract limitation period under section 5 is relevant to how long you need warranty or purchase evidence. Once that window closes and HMRC's period has also closed, there is no longer a legal-obligation basis for retention.

Soft delete that keeps identifiers. A deleted-flag on a database row preserves the personal data. For storage limitation, the underlying personal data must be removed, not just hidden.

Inactive accounts kept indefinitely. An account inactive for several years has no current processing purpose. Either re-engage to confirm continued purpose, or delete.

Tax retention extended to all marketing data. The same invoice that triggers a 6-year HMRC retention has a separate analysis for whether the customer's email address should be retained for marketing. The marketing consent may have lapsed long before the HMRC period ends.

Final checklist

• Each processing activity in your Article 30 register has a defined retention period
• Retention periods reflect the longer of operational need and legal obligation (HMRC, FCA, Limitation Act 1980)
• The privacy notice states the period or criteria for each activity (UK GDPR Articles 13(2)(a) and 14(2)(a))
• Deletion is implemented as a scheduled job, not a manual task
• The deletion job logs its runs with summary metrics
• Backups have a rotation policy that aligns with the retention schedule
• Inactive accounts have an inactivity period defined and a deletion trigger
• Right-to-work documents are deleted 2 years after employment ends
• PAYE and payroll records are scheduled for deletion 3 years after the relevant tax year end
• Anonymisation claims would pass the UK GDPR Recital 26 test against motivated re-identification
• Quarterly review of the register, the privacy notice and the deletion mechanism in sync

---

This is technical analysis, not legal advice. For complex retention questions involving litigation hold, regulated sectors, or ICO investigation response, consult a solicitor who specialises in data protection.

Sources

• UK GDPR (Regulation (EU) 2016/679 as retained in UK law) (legislation.gov.uk)
• UK GDPR, Article 5: Principles relating to processing of personal data (legislation.gov.uk)
• Data Protection Act 2018 (legislation.gov.uk)
• Data (Use and Access) Act 2025 (legislation.gov.uk)
• Finance Act 1998, Schedule 18: Company tax returns (legislation.gov.uk)
• Limitation Act 1980, section 5: Time limit for actions on a simple contract (legislation.gov.uk)
• VAT record-keeping (Notice 700/21) (gov.uk)
• ICO enforcement action register (ico.org.uk)