GDPR Data Retention: How Long Can You Keep Personal Data?
## The short answer
GDPR does not set fixed retention periods. Instead, the "storage limitation" principle says you must not keep personal data for longer than you need it for the purpose you collected it. That means *you* have to decide, justify, and document how long you keep each type of data — and then actually delete or anonymise it when that time is up. "We keep everything forever, just in case" is not a defensible position; holding data you no longer need is itself a compliance risk and a security liability.
The good news is that some retention periods are effectively set for you by other laws — tax, employment, and accounting rules often dictate minimum periods — and you can build your policy around those anchors.
## Why hoarding data is a problem
Keeping personal data "just in case" feels harmless but creates real exposure:
- **More data means more risk** if you suffer a breach.
- **It contradicts the storage limitation principle.**
- **It complicates subject access requests**, because you have to search more records.
- **It can breach the data minimisation principle** if the data is no longer relevant.
Deleting data you no longer need is not just tidiness; it actively reduces your risk surface.
## How to set retention periods
Work through your data types one at a time and ask three questions:
1. **What is the purpose?** Why did you collect this data?
2. **Is there a legal minimum?** Tax, accounting and employment law often require records to be kept for set periods. These set a floor you must respect.
3. **When does the purpose end?** Once the purpose is fulfilled and no legal obligation requires retention, the clock should run out.
For example, order records may need to be kept for a period to satisfy accounting and tax rules, while a marketing mailing list should be reviewed regularly and pruned of people who never engage.
## Build a retention schedule
The practical output is a retention schedule — a simple table listing each category of data, how long you keep it, why, and what happens at the end. A typical row might read: *Category: enquiry form submissions. Retention: a defined period after last contact. Reason: to follow up on the enquiry. Action at end: delete.*
Keep the schedule realistic. A policy you cannot actually follow is worse than a modest one you can.
## Deletion done properly
When retention ends, deletion must be genuine and thorough. Consider:
- **Live systems** — CRM, databases, spreadsheets.
- **Email** — both inboxes and sent folders.
- **Backups** — you generally do not have to extract individual records from backups immediately, but you should ensure deleted data does not get silently restored, and that backups themselves age out.
- **Third parties** — if processors hold the data on your behalf, they must delete it too.
An alternative to deletion is anonymisation: if data is truly anonymised so no individual can be identified, it falls outside GDPR and can be retained for analysis. Be careful, though — weak "anonymisation" that can be reversed is still personal data.
## Automate where you can
Manual deletion drifts; people forget. Wherever possible, build retention into your systems — scheduled clean-ups, automatic flagging of records past their retention date, and review reminders. Designing deletion in from the start, rather than bolting it on, is the kind of lifecycle thinking we apply when building enterprise-grade products at neart.ai. Treat data as something with a defined end of life, not something that simply accumulates.
## Handle erasure requests alongside retention
Your retention policy interacts with the "right to erasure". People can ask you to delete their data, and in many cases you must — unless you have a lawful reason to keep it, such as a legal retention obligation. A clear retention schedule makes these requests easier to answer, because you already know what you hold and why.
## Common mistakes
- **No policy at all**, so data accumulates indefinitely.
- **A policy on paper that nobody follows.**
- **Forgetting backups and third parties** when deleting.
- **Confusing deletion with archiving** — moving data to a different folder is not deletion.
- **Over-retaining marketing data** long after people stopped engaging.
## Practical takeaway
Draw up a one-page retention schedule listing each type of personal data, how long you keep it, the legal or business reason, and what happens at the end. Anchor minimums to tax and employment rules, then set the rest based on when the purpose genuinely ends. Schedule regular clean-ups and make sure deletion reaches backups and processors. Less data held means less risk carried — retention discipline is one of the easiest wins in data protection.