What are the retention periods required for different types of online data under UK law?
Executive summary
UK law does not set universal, fixed retention periods for most types of personal data; controllers must justify retention based on purpose and document retention schedules (ICO guidance and Practical Law) [1] [2]. Some UK public services and regulators do specify defaults—HMRC uses a default “6 years + 1” for many records and GOV.UK Notify holds temporary records for 7 days—showing sectoral variation [3] [4].
1. Rule one: “No longer than necessary” is the baseline
The primary legal rule under the retained UK GDPR and the DPA 2018 is that personal data must not be kept for longer than necessary for the purposes it was collected, and organisations must be able to justify any retention period in policy and documentation (ICO storage limitation guidance; HMRC manual) [1] [5]. The ICO tells controllers to set standard retention periods where possible, review data periodically, and erase or anonymise when no longer needed [1]. Practical Law reiterates that a written retention schedule helps show compliance with UK GDPR and DPA 2018 [2].
2. No single timetable — sector rules and statutory retention override
There is no single statutory timetable in UK GDPR that dictates how long every category of online data must be kept; instead, sector-specific law and regulators frequently impose explicit timeframes or default practices (Geldards analysis; Practical Law) [6] [2]. For example, government bodies publish their own retention policies and schedules (CMA, ONS, Home Office) and may require longer or shorter retention in specific contexts [7] [8] [9].
3. Concrete public-sector examples you can cite
Some public services do publish concrete periods: HMRC’s default standard retention is “6 years + 1” (six years after the last entry plus the current year) for many records, though exceptions exist for legally required retention or historic transfer to The National Archives [3]. GOV.UK Notify explicitly retains certain temporary notification data for 7 days by default, illustrating short-term operational retention choices [4]. The ONS records that where no third‑party period applies, default review periods are used (five years for non-personal datasets; two years where personal data are included) [8].
4. Practical compliance steps emphasised across guidance
Regulators and professional resources converge on practical controls: publish a retention policy and schedule, assign ownership for retention decisions, perform periodic reviews (weeding), document justifications, and implement secure deletion or anonymisation when periods end (ICO retention toolkit; Practical Law; ONS) [10] [2] [8]. The ICO flags the risk of breaching UK GDPR articles 5(e) and related obligations if organisations lack documented storage periods or fail to weed records [10].
5. Commercial guidance and vendor framing — useful but promotional
Commercial and consultancy sources frame retention in operational terms—automatic purging reduces liability and storage costs—but they are advisory and often tie recommendations to their products (Jatheon, Shredall) [11] [12]. These sources correctly echo that UK GDPR has no fixed maximum—but they also have commercial incentives; treat vendor-recommended periods as starting points for legal review, not legal authority [11] [12].
6. Where disputes and grey areas arise
Sources show recurring tension: the legal principle requires justification, but that leaves wide discretion and uncertainty for controllers deciding specific retention windows (Geldards; Computer Weekly) [6] [13]. The ICO is updating guidance in light of new laws (Data (Use and Access) Act) and warns that guidance may change, which creates transitional uncertainty for organisations setting retention periods [1] [10].
7. What reporting does not say (limits of available sources)
Available sources do not provide a single, definitive table of fixed retention periods for “online data” categories such as emails, logs, cookies or social-media messages under UK law; instead, they supply principles, sector examples, and specific public-sector schedules (not a universal regime) [1] [7] [4]. They also do not set out an exhaustive list of statutory retention periods across all industries—those must be checked in sector regulation or contract [2] [8].
8. Bottom line for organisations and practitioners
Treat UK law as principle-driven: adopt documented retention schedules tied to purpose, use sector rules where they exist (e.g., HMRC, ONS), review periodically, and be prepared to justify retention to regulators (ICO guidance; Practical Law; HMRC) [1] [2] [3]. Where short operational retention is acceptable (e.g., GOV.UK Notify’s 7‑day default), adopt similarly narrow windows when justified and feasible [4].