make your free data retention policy
what we'll cover
what is a data retention policy?
a data retention policy sets out how an organisation manages the personal data it holds, helping the organisation comply with data protection law by ensuring that it stores this data no longer than necessary. data retention policies specify how and when personal data should be deleted or anonymised, and how this process is managed.
when should i use a data retention policy?
sample data retention policy
the terms in your document will update based on the information you provide
2022世界杯32强抽签时间
members have customised over 5.8m documents
documents and communicates
complies with relevant laws
ask a lawyer questions about your document
download and sign your document
data retention policy and schedule
statement of purpose
- (the organisation, we, our or us) is committed to adhering to the data protection and privacy rights of all individuals whose personal data it processes in the course of its activities. to do so, we are committed to meeting the requirements imposed by uk data protection laws: particularly, requirements under the uk general data protection regulation (uk gdpr) and the data protection act 2018. this data retention policy is implemented to this end, with a focus on the storage limitation principle.
- this data retention policy is based on the uk data protection laws. if this policy is at any time inconsistent with this body of law, will act (including by adjusting any relevant retention periods) to meet the requirements imposed by up-to-date uk data protection laws in priority to the requirements set out in this policy.
- any questions in relation to this policy should be referred to in the first instance, via email at .
definitions, interpretation, and scope
- within this policy, the following terms hold the following meanings:
- ‘condition for processing’ means the exceptions to the general prohibition on processing special category personal data, specified by uk data protection laws, at least one of which must apply to processing of special category personal data for that processing to be in compliance with uk data protection laws;
- ‘data protection principles’ means the 7 core principles at the heart of the uk data protection laws, which these laws are constructed to uphold;
- ‘data subject’ means the individual to whom an item of personal data relates and who can be identified from this data;
- ‘lawful bases’ means the 6 grounds set out in article 6 of the uk gdpr, at least one of which must apply to processing of personal data for that processing to be in compliance with uk data protection laws;
- ‘personal data’ means any information relating to an individual who can be identified (either directly or indirectly) by this information. references to personal data within this policy refer to all personal data that the organisation processes, including any personal data that the organisation stores following use of this data in the course of its work with or via agents, consultants, sub-contractors, or similar;
- ‘processing’ means any use of personal data outside of private personal use, including obtaining, recording, managing, using, storing, or anonymising this data;
- ‘special category personal data’ means the certain types of personal data that the uk data protection laws identify as being more sensitive in nature than other personal data and, consequently, as requiring a higher level of protection; including information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, and biometric data;
- ‘uk data protection laws’ means any law applicable in the uk relating to the processing of personal data, including but not limited to the uk gdpr and the data protection act 2018.
- the definitions above apply also to the singular or plural, other tense, or other form of such words when used within this policy.
legal justification for processing
- is committed to ensuring that all processing of personal data carried out by us and/or our agents, sub-contractors, consultants, employees, or others working on our behalf is carried out in compliance with uk data protection laws. as such, we confirm that:
- all personal data is processed in reliance on one or more of the lawful bases;
- all special category personal data is, additionally, processed in reliance on a separate condition for processing; and
- all processing is carried out in accordance with the data protection principles.
- all necessary documentation and procedures are completed and in place to ensure that all processing is carried out in accordance with uk data protection laws and the data protection principles (e.g. the transparency and accountability principles).
- access to documentation can be requested from by emailing . access will be granted where it is appropriate to do so (e.g. with regard to other individuals’ data privacy and to business confidentiality needs).
storage limitation
- this data retention policy deals primarily with how we will uphold the data protection principle of storage limitation. the storage limitation principle requires that we do not keep (e.g. store) personal data for any longer than we need it, with ‘need’ determined by reference to the purposes and lawful bases for which given personal data is processed.
- adhering to the storage limitation principle is vital for:
- reducing the risks of data breaches and other security threats to data’s privacy and integrity;
- reducing the risk of personal data becoming irrelevant, excessive, inaccurate, out-of-date; or being used incorrectly or by accident; and
- reducing the organisation’s legal risk by ensuring that personal data is not retained once the applicable lawful bases(s) no longer apply (i.e. once it can no longer be processed in accordance with uk data protection laws).
- to uphold the storage limitation principle, ’s commitments include (but are not limited to):
- adhering to the retention periods set out in the schedule to this policy titled ‘schedule - retention periods’;
- no longer storing personal data that, despite not yet having been held for the duration of the applicable retention period, is inappropriate to store with regard to uk data protection laws and other laws (e.g. when there is no requirement that it is retained longer for purposes such as maintaining compliant tax and employment records or dealing with legal claims);
- properly handling any individuals’ data erasure requests and, where appropriate, complying with such requests; and
- deleting or anonymising personal data that is no longer needed in accordance with this policy.
retention periods
- a retention period is a set time period after which the applicable type of personal data should be considered no longer needed and should be deleted or anonymised, unless a situation applies that requires certain personal data to be stored for longer and which justifies its further processing (including storing) under uk data protection laws. justifications and decisions on extended storage periods.
- once personal data has reached the end of its retention period, if no justification for extension or other exception applies, this data should be deleted or anonymised in accordance with the section of this policy titled ‘dealing with personal data that is no longer needed’.
- ’s retention periods are set out in the schedule to this policy titled ‘schedule - retention periods’.
- the retention periods apply however the personal data is held by us (e.g. whatever its location or format).
dealing with personal data that is no longer needed
- all personal data that is no longer needed in any way must be either deleted (i.e. erased) or anonymised.
- deletion of personal data held electronically entails this data being permanently deleted as far as is technologically possible. this means that the staff member carrying out the deletion must ensure that, after deletion, it is beyond use (i.e. they must ensure that, if any traces remain, these traces cannot identify the data subject). the staff member carrying out the deletion should ensure that:
- any offline copies of the personal data are deleted, as well as published/online versions;
- any backup copies of the personal data are deleted, whether or not such copies are up-to-date.
- deletion of personal data held in hard copy entails destruction of this data to the extent that it is beyond use (e.g. so that it cannot be reassembled or read).
- anonymisation entails personal data being altered into a form that does not allow identification of the data subject in any way (i.e. so that the information no longer constitutes personal data and is no longer covered by uk data protection laws). anonymisation may be carried out as an alternative to deletion when useful for the organisation and appropriate (e.g. for the purposes of carrying out statistical analysis with a large, anonymous dataset).
- if a staff member needs to delete or anonymise personal data and they are uncertain as to how to appropriately do so, they should contact via email at for assistance.
responsibility
- day-to-day responsibility for monitoring compliance with this policy, for setting, evaluating, and adapting data retention practices and this policy, and for setting, evaluating, and adapting retention periods, sits with .
- all individuals working for or acting on behalf of at all levels, including senior managers, officers, employees, consultants, trainees, homeworkers, part-time and fixed-term workers, casual workers, agency workers, volunteers, and interns (collectively ‘staff members’) should follow this policy in relation to any personal data that they process. if they have any questions or concerns related to this policy and their data storage obligations, they should contact via email at .
changes to the policy and to retention periods
- this policy does not form part of any contract of employment or similar and may amend it at any time at our absolute discretion.
- any changes to the retention periods will be made in compliance with the law and a new justification will be provided for each new retention period set. any such changes will be communicated to relevant staff members in a timely manner to ensure that practices are adapted accordingly.
- retention periods will be reviewed by (or somebody who has assigned to review the retention periods on their behalf and subject to their approval) at least once every , to ensure that these retention periods are still reasonable with regard to any changes to the personal data held and to any new laws or guidance relevant to a given retention period.
schedule - retention periods
description/
examples
about data retention policies
learn about making your data retention policy
-
how to make a data retention policy
making your data retention policy online is simple. just answer a few questions and 2022世界杯32强抽签时间 will build your document for you. when you have all the information about your organisation’s data protection practices prepared in advance, creating your document is a quick and easy process.
you’ll need the following information:
organisation and personnel
-
what is your organisation’s name?
-
who holds overall responsibility for data retention within your organisation?
-
what are this person’s phone number and email address?
-
-
who is your organisation’s key contact for administrative questions related to this data retention policy? for example, the person from whom access to other data protection documents should be requested.
-
what are this person’s phone number and email address?
-
-
which other data protection documents (eg policies and procedures) does the organisation have in place? (optional)
retention periods
you’ll need to set separate retention periods for different types of personal data. for each, you need to identify:
-
the type of personal data.
-
what’s included in this type of personal data.
-
why the organisation is processing this type of personal data.
-
how long this type of personal data should be stored for (ie its retention period).
-
why this type of personal data should be stored for this long (ie the justification for the retention period).
-
who is responsible for this type of personal data.
reviews and approvals
-
if a staff member thinks personal data should be stored beyond the end of its retention period, do they need approval from the person responsible for data retention before they can do this?
-
how frequently will your retention periods be reviewed?
-
does all personal data that the organisation stores need to be regularly reviewed?
-
if so, how frequently must it be reviewed?
-
handling data that’s no longer needed
-
how should staff members delete personal data stored electronically? (optional)
-
how should staff members delete personal data stored in hard copy? (optional)
-
-
common terms in a data retention policy
data retention policies help organisations to meet their legal obligation to appropriately and securely handle personal data. to do this, this data retention policy template includes the following terms and sections:
statement of purpose
the policy starts by identifying the policy’s purpose, ie helping the organisation to uphold the data protection and privacy rights of any individuals whose personal data it processes (eg uses or stores), with a particular focus on storage limitation. it identifies the person within the organisation whom staff members should contact if they have any general questions about the policy.
definitions, interpretation, and scope
this clearly defines key legal terms used within the policy (eg ‘personal data’ and ‘processing’).
legal justification for processing
this section highlights the organisation’s compliance with data protection laws and identifies the legal basis upon which the organisation is legally permitted to process the personal data it holds. it then highlights that all data processing activities are carried out in accordance with the organisation’s other data protection policies and procedures, identifying key such documents if you choose to include these.
storage limitation
next, the policy explains the data protection principle of storage limitation and why upholding it is important (eg to reduce the risks of personal data being used incorrectly or of the data being subject to data breaches). the section then explains the organisation’s general commitments to upholding the storage limitation principle, for example:
-
ensuring compliance with the retention periods set out in the policy
-
deleting or anonymising personal data that’s no longer required
-
regularly reviewing all personal data the organisation holds to identify unnecessary storage (if you choose to include this requirement), and
-
handling data deletion (ie erasure) requests appropriately
retention periods
this section explains what retention periods are and how staff members should use them. for example, it explains what should happen if a staff member in charge of certain personal data believes that this data should be stored for longer than its retention period states.
dealing with personal data that is no longer needed
here, the policy explains what staff members should do with personal data that no longer needs to be stored. it explains how electronic and hard copy data should be deleted and how anonymisation may, in some cases, be an appropriate alternative to deletion.
responsibility
this is where the person with general responsibility for data retention within the organisation is identified. it’s also highlighted that all staff members are responsible for complying with the data retention policy in relation to personal data that they handle or are responsible for.
changes to the policy and to retention periods
this section highlights how the policy may change in response to changes in the personal data held or changes in relevant laws. it also requires that the person responsible for data retention reviews the retention periods set in the policy at a specified interval (as a minimum).
schedule - retention periods
the actual retention periods applicable to different types of personal data the organisation processes are set out here. each retention period will have a justification for the retention period and will highlight why the personal data is being processed, and responsibility for this type of personal data will be assigned to somebody.
if you want your data retention policy to include further or more detailed provisions, you can edit your document. however, if you do this, you may want a lawyer to review the document for you (or to make the changes for you) to make sure that your modified data retention policy complies with all relevant laws and meets your specific needs. use 2022世界杯32强抽签时间 ’s ask a lawyer service for assistance.
-
-
legal tips for organisations handling personal data
complete your compliance with data protection laws
storage limitation is only one of the key data protection principles. complying with data protection laws requires ensuring that all data processing is carried out compliantly - with individuals’ privacy in mind - at every step of the way. for example:
-
transparency should be upheld by providing the individuals whose information is being processed with information about the processing
-
data minimisation and purpose limitation should be achieved by only collecting data for explicit, legitimate purposes, and only as much data as is required
-
integrity and confidentiality should be upheld by technical and organisational measures that ensure data security
a critical first step towards compliance is learning what’s required. to learn more, you can read the various legal guides in our data protection for businesses legal centre.
setting out, implementing, and monitoring data protection policies and procedures, and creating other data protection documents that communicate data protection considerations (eg to employees and customers) is essential. you can use our gdpr documents and faqs to get started.
if you need additional help ensuring your business complies with data protection law, you can use our gdpr compliance advice service.
understand when to seek advice from a lawyer
in some circumstances, it’s good practice to ask a lawyer for advice to ensure that you comply with the law and are well protected from risks. you should consider asking for advice if:
-
you need help setting or justifying retention periods
-
you’re storing personal data in england, scotland, and/or wales and also elsewhere (eg in the eu or northern ireland)
-
this data retention policy doesn’t cover everything you want or doesn’t meet your needs
-
data retention policy faqs
-
what is included in a data retention policy?
this data retention policy template covers:
-
the importance of the storage limitation principle and how the organisation upholds it
-
the organisation’s compliance with data protection laws more broadly
-
what should happen to personal data that no longer needs to be stored
-
responsibility for data retention
-
retention periods for different types of data
-
-
why do i need a data retention policy?
a data retention policy clearly identifies an organisation’s understanding of the importance of the principle of storage limitation and how the organisation upholds this principle. it creates clearly communicated rules for staff members to follow when handling stored personal data.
this is vital to helping the organisation comply with data protection laws, conduct efficient data management, and uphold the information privacy rights of its staff, customers, and anyone else whose personal data it holds.
-
what is storage limitation?
storage limitation is one of the 7 key principles that underlie uk data protection law and which guide compliance with it. the storage limitation principle requires that personal data be stored only for as long as is necessary for it to be used for the purposes for which it was collected. once the data’s purpose has been fulfilled and there is no other legitimate justification for storing the data, it should no longer be stored (ie it should be securely deleted or anonymised).
this aims to minimise the risks posed to individuals by the processing of their personal data (and, in turn, the legal risks and administrative hassles posed to the organisation). for example, it reduces the risk of the data being subject to data breaches or being incorrectly or accidentally used.
for more information, read data protection principles and data retention and document destruction.
-
which types of data should the data retention policy cover?
an organisation’s data retention practices should cover all personal data that the organisation processes (eg collects, uses, or stores). in practice, this can cover a wide range of information, such as:
-
staff and contractor information (eg personal details, payment records, and family leave and pay records), including personal data related to job applicants
-
financial records (eg accounting records)
-
workplace health and safety data (eg accident reports)
-
customer data (eg payment details, contracts, and delivery addresses)
-
photos and video content (eg id photos and security footage)
-
website visitor data (eg ip addresses and email addresses)
-
correspondence (eg emails and letters)
extra attention should be paid to special category personal data (eg information about someone’s health) to ensure that it receives the higher level of protection that it is legally entitled to.
-
-
how do i determine the retention period for a type of personal data?
there isn’t generally a strict set time period for which a particular type of personal data should be retained. essentially, personal data should not be stored for any longer than is necessary to enable it to fulfil the purpose(s) for which it was collected.
the retention period that should be set for a given type of data depends on various factors, including:
-
the purpose for which the organisation is processing (eg using or storing) the data (eg how long this purpose will continue for)
-
the level of risk the data poses to individuals' privacy (eg whether or not it is special category personal data)
-
specific legal and regulatory requirements related to the type of data
laws and regulatory requirements subject organisations to various restrictions and allowances in relation to how long certain data can and should be stored for. for example, the following types of information should be retained for at least a certain amount of time:
-
pay records related to income tax and national insurance contributions
-
information related to health and safety incidents
it’s also justified to retain some personal data for the purpose of defending potential future legal claims (eg employment law claims). in such cases, data can generally be retained until the relevant limitation period (ie the time limit for bringing the types of legal claims relevant to the data) has ended.
for more information, including details on some set minimum data retention periods, read data retention and document destruction and the information commissioner's office (ico) guidance on storage limitation.
you can ask a lawyer if you need help setting your retention periods.
-
-
what should happen to personal data after it’s no longer needed?
personal data that’s no longer needed should be either:
-
deleted, or
-
anonymised
electronically held data that’s deleted should be deleted as far as is technologically possible. the person carrying out the deletion must ensure that, after deletion, the data is beyond use (ie they must ensure that, if any traces remain, these traces cannot identify the person to whom the data relates). they should ensure that any offline or backup copies are also deleted.
hard copy data that’s deleted should be destroyed to the extent that it is beyond use (eg shredded and mulched).
anonymisation is an alternative to deletion. it involves personal data being altered into a form that does not allow identification in any way of the individual to whom the data relates. anonymisation may be an appropriate alternative to deletion when it is useful for the organisation and the nature of the data and its anonymisation isn’t inappropriate (eg when the anonymised data doesn’t still pose a risk to the privacy of those to whom the data relates). for example, anonymisation may be appropriate for the purposes of conducting statistical analysis with a large, anonymous dataset.
for more information, read data retention and document destruction.
-
-
how often should data retention periods be reviewed?
data retention periods should be periodically reviewed. however, the regularity with which particular data should be reviewed depends on the nature of the data, its use, and the organisation that’s using it.
you can select how often your data retention periods should be reviewed. an appropriate approach could be to, for example, review retention periods thoroughly once every year but also keep track of any changes to the law that require retention periods to change (eg if the time period for which paye or family leave pay records must be retained were to change).
our quality guarantee
we guarantee our service is safe and secure, and that properly signed 2022世界杯32强抽签时间 documents are legally enforceable under uk laws.
need help? no problem!
ask a question for free or get affordable legal advice from our lawyer.
