Data Retention & Disposal Policy template
A data retention and disposal policy sets out how long your organisation keeps each type of record containing personal data, why, and how records are securely destroyed when the time is up. It pairs a short set of rules with a retention schedule — the table your team actually uses.
Keeping everything forever feels safe but is the opposite: every record you hold is one more you must protect, search when a subject access request arrives, and account for if there is a breach. Old data is pure liability with no operational value.
This template gives you the policy rules, a retention schedule to complete by record type, secure disposal standards, and the legal-hold mechanism that pauses destruction when a dispute or investigation is live.
Full text, ready to adapt.
Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.
Data Retention & Disposal Policy
Policy · Data & Privacy
1. Purpose and scope
This policy sets out how long {{org.name}} retains records containing personal data and how they are disposed of. It applies to all records in all formats — databases, files, emails, paper, backups, and archives — and to all staff who create or manage them.
2. Policy statement
{{org.name}} keeps personal data only as long as it is needed for a documented purpose, retains it for the periods in the schedule below, and disposes of it securely when the period ends. No one keeps personal copies, exports, or shadow spreadsheets outside the systems of record.
3. Responsibilities
- Policy owner ([name/role]): maintains this policy and the retention schedule, and decides legal holds.
- Record owners ([role per area, e.g. office manager for HR files, finance lead for accounts]): apply the schedule to their records and run periodic disposal.
- All staff: save records to the systems of record, not local drives, and flag records with no apparent owner or period.
4. How retention periods are set
- Legal or regulatory requirement: where legislation sets a period — tax and payroll records, for example — that period applies. Record the source; check current official guidance rather than folklore.
- Potential claims: some records are kept for the period during which a legal claim could realistically arise — take advice or check official guidance rather than guessing.
- Operational need: everything else is kept only as long as it is actually used, and the reason is written in the schedule.
- Where only statistics are needed long term, data is anonymised instead of retained.
5. Retention schedule
- Customer accounts and transaction records: [period] from the end of the relationship. Reason/source: [complete].
- Enquiries and prospect data: [period] from last contact. Reason/source: [complete].
- Financial, tax, and payroll records: [period — set by tax legislation; check current official guidance]. Reason/source: [complete].
- Staff records: [period] after employment ends; unsuccessful applicant records: [period] after the decision. Reason/source: [complete].
- Accident and incident records: [period]. Reason/source: [complete].
- CCTV footage: [period — typically short] unless preserved for an incident. Reason/source: [complete].
- Emails and general correspondence: [approach, e.g. deleted or archived after (period) unless filed as a record]. Reason/source: [complete].
6. Secure disposal
- Paper records are cross-cut shredded or placed in confidential waste via [provider] — never in general waste.
- Digital records are deleted from the system of record and any copies on shared drives; deletion is confirmed by the record owner.
- Devices being retired are securely wiped or destroyed via [certified provider], with certificates kept.
- When a contract with a software or service provider ends, [name/role] confirms in writing that our data has been deleted or returned.
- Disposals of whole record classes are logged: what, when, by whom.
7. Legal holds
If litigation, an investigation, a complaint, or a subject access request is live or reasonably expected, [name/role] declares a legal hold: routine destruction stops for all records in scope, and the affected record owners are told in writing. The hold overrides the schedule until [name/role] lifts it in writing.
8. Records and review
The schedule, disposal logs, and hold notices are kept at [system/location]. This policy and the schedule are reviewed [frequency, e.g. annually] and whenever we adopt new systems, new record types, or new legal obligations. Owner: [name/role]. Next review due: [date].
How to adapt this template.
Inventory what you actually hold before touching the schedule — walk the shared drives, filing cabinets, and system exports first.
Complete the reason/source column for every row; a period with no justification is the first thing that fails scrutiny.
Check periods set by other legislation — tax, payroll, health and safety — against current official guidance, not memory.
Assign a named record owner to every row, then diarise the first disposal run.
Do one supervised disposal run within a month of adopting the policy — the backlog is where the risk lives.
Cross-reference the schedule in your privacy policy and employee privacy notice so all three documents agree.
Turn this template into trained, proven behaviour
A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.
Data Retention & Disposal Policy template FAQs
Is a data retention policy a legal requirement in the UK?
No statute names the document, but UK GDPR's storage limitation and accountability principles require you to keep personal data no longer than necessary and to be able to show your reasoning. A written policy with a retention schedule is the standard way to evidence both.
How long should we keep customer data?
There is no single lawful answer — you keep it as long as you need it for the purpose it was collected for, and some records have periods effectively set by other legislation, such as tax rules. Set a period per record type, write down the reasoning, and apply it consistently.
Do backups have to be deleted too?
Personal data in backups is still personal data. A common, defensible approach is to delete from live systems immediately and let backups expire on their normal cycle, without restoring deleted data — whatever approach you take, document it and be able to explain it.
What counts as secure disposal?
Disposal the data cannot realistically come back from: cross-cut shredding or confidential waste for paper, proper deletion rather than moving files to a recycle bin for digital records, and certified wiping or destruction for retired devices. Confirm your providers do the same with data they hold for you.
What is a legal hold?
A pause on routine destruction when a dispute, investigation, complaint, or subject access request is live or reasonably expected. It overrides the retention schedule for the records in scope until it is lifted — destroying relevant records after a dispute has surfaced is far worse than keeping them too long.
Related templates
Data Protection Policy
Free UK GDPR data protection policy template: the principles in practice, staff handling rules, responsibilities, rights requests, and breach routing.
Subject Access Request (SAR) Procedure
Free UK subject access request procedure template: recognising a SAR, verifying identity, searching, redacting, and responding within one calendar month.
Privacy Policy
Free UK privacy policy template: the data you collect, lawful bases, sharing, retention, individuals' rights, and ICO complaint details. Ready to edit.
Exit & Leaver Procedure
Free exit and leaver procedure template for UK employers: resignation handling, notice-period handover, property and access, final pay, exit interviews.