Personal Data Retention and Secure Deletion

Keep information for a reason, not by default

Unnecessary personal information increases the impact of a breach, complicates access requests and makes migration or supplier exit harder. Retention should begin with the purpose and a clear trigger, then cover every live system, archive, supplier, device and backup cycle.

Quick answer

Create a schedule that records why each data set is needed, the event that starts the retention period, how long it remains necessary, which exceptions apply and how deletion is verified. Do not keep personal data indefinitely because it might be useful one day.

  • Applies worldwide
  • Reviewed by Attach Planet
  • Last reviewed: 16 July 2026

Build a retention schedule people can operate

Field Question to answer
Purpose and data What specific outcome requires which minimum personal information?
People and sensitivity Whose information is involved and what harm could misuse, inaccuracy or disclosure cause?
Systems and recipients Where does the data enter, copy, export, synchronise, archive or pass to a supplier?
Owner and authority Who approves the purpose, retention period, access and disposal? Which local legal basis or permission applies?
Trigger and period Does time begin at collection, last activity, contract end, account closure, case completion, age threshold or another event?
Exceptions Which complaint, dispute, investigation, preservation duty or legal hold pauses ordinary deletion?
Disposal and evidence How is data removed or anonymised across systems and suppliers, and what proves the process ran?

Set periods from purpose and obligations

  1. Confirm necessity. Remove fields, copies and recipients that are not needed for the stated purpose.
  2. Identify applicable rules. Check the law, regulator, contract, limitation period, professional duty and sector requirements for the relevant country.
  3. Choose a clear trigger. “Seven years” is incomplete unless people know when the seven years begin.
  4. Separate active and restricted use. Information may need to leave everyday systems before the final lawful retention period ends.
  5. Approve and publish the rule. Align privacy information, operating procedures, supplier terms and system configuration.

Delete across the complete data path

  • Primary application records and attached files
  • Email, messaging, shared drives and collaboration tools
  • Exports, spreadsheets, reports and local downloads
  • Test, development, analytics and support environments
  • Supplier and subprocessor systems
  • Mobile devices, laptops, removable media and retired hardware
  • Archives, search indexes, caches and duplicate repositories
  • Backups that expire through a documented protected lifecycle

Immediate removal from every backup may be technically unsafe or disproportionate. Document how deleted data becomes unavailable for ordinary use, remains protected, is not restored back into active processing and expires through the backup cycle unless a justified hold applies.

Verify disposal rather than assuming it

Automated evidence

Job logs, deletion counts, exception queues, supplier confirmation and alerts for records that could not be processed.

Sample testing

Search representative identities and identifiers across the systems where copies are most likely to remain.

Hardware disposal

Use an appropriate sanitisation or destruction process and retain asset, method, supplier and completion evidence.

Governance review

Recheck schedules when purposes, products, countries, suppliers, rights or legal obligations change.

UK example and worldwide caution

The UK ICO explains data minimisation, storage limitation and the right to erasure. Other countries use different rules, definitions and exceptions. Confirm the current position with the relevant regulator or qualified adviser before applying a retention schedule.

Personal data retention and deletion FAQs

How long should an organisation keep personal data?

There is no universal period. Keep it only for as long as the defined purpose and applicable legal, regulatory, contractual or dispute requirements justify. Record the trigger, period, owner, exceptions and disposal method.

Does deleting a record from the main application remove every copy?

Not necessarily. Copies may remain in email, exports, analytics, devices, suppliers, search indexes and backups. Map the data path and verify how each location deletes, restricts or ages out the data.

Can anonymised information be kept for longer?

Information that is irreversibly anonymised so that people are no longer identifiable may fall outside personal-data rules, but pseudonymised or linkable information may still be personal data. Test the real re-identification risk and local law.

Continue your cybersecurity decision

Use the next guide that matches the exposure, control or recovery question you still need to resolve.