GDPRLedger UK UK GDPR Guide Data retention periods under UK GDPR
UK GDPR fundamentals · Article 5(1)(e)

Data retention periods under UK GDPR

Updated April 2026UK GDPR Article 5(1)(e)ICO aligned

UK GDPR requires personal data to be kept no longer than necessary for its original purpose. Without a documented retention schedule, the default is often indefinite retention — which is itself a breach. For AML-regulated firms, the conflict between MLR 2017 retention obligations and UK GDPR must be documented and resolved.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

The storage limitation principle

Article 5(1)(e) requires that personal data is kept in a form permitting identification of data subjects for no longer than is necessary for the purposes for which it is processed. Organisations should define retention periods for each category of personal data, documented and applied consistently. The law requires the ability to justify retention, not necessarily a prescribed period for every category — but the ICO expects proportionate, documented decision-making. Keeping data “in case it is needed” is not a compliant approach.

Source: UK GDPR Article 5(1)(e); ICO storage limitation guidance

No universal retention periods

UK GDPR does not prescribe specific retention periods for most categories of data. Organisations must determine appropriate periods based on purpose, legal obligations, professional standards, and the consequences of retaining data too long. Some statutory obligations specify minimum periods — HMRC requires financial records for six years; MLR 2017 requires CDD records for five years from end of the client relationship. Where a statutory minimum applies, it sets the floor, not the ceiling.

Building a retention schedule

A data retention policy must contain a retention schedule mapping each category of data to a defined period, the basis for that period, and the destruction process. Common categories include: employee records (duration of employment plus relevant limitation period, with payroll records for at least six years); customer records (duration of relationship plus contract limitation period); CCTV footage (industry norm is typically 31 days, depending on purpose and justification); and unsuccessful recruitment records (typically no longer than six months).

MLR 2017 retention conflict

AML-regulated firms must retain CDD records for five years under MLR 2017 regulation 40. This conflicts with UK GDPR’s storage limitation principle. The conflict is resolved by Article 17(3)(b) — the exemption from erasure where retention is required by law. This must be documented in the retention policy and privacy notice. At the end of the five-year period, CDD data must be destroyed and the destruction recorded.

Source: MLR 2017 Regulation 40; UK GDPR Article 17(3)(b)
Record this. Document the retention period for every data category, the basis for each period, and the destruction process. When data is destroyed, record the date and method. Retention that cannot be evidenced is either non-existent or non-compliant.
Not legal advice. This guide is derived from UK GDPR (Data Protection Act 2018 / DUAA 2025) and ICO published guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.
Early access

GDPRLedger is coming soon

Join the early access list and be notified when the programme opens. £129 Standard · £449 Pro · One-off payment · No subscription.

No spam. Your email is used only to notify you of programme launch.