There have always been controls over data retention and storage. Under the Data Protection Act 1998 (DPA) businesses were required to retain data only for no longer than necessary for the purpose for which it was obtained and then to destroy it securely.

To comply, businesses were required to review the length of time data was kept considering the purposes for which it was held, and compare it to the information given at the time of collection. In practice few, if any, considered this and many businesses decisions whether to retain data depended on the practical requirements of storing documents and data.

Data Retention Policy under the GDPR

Under the GDPR the position regarding data retention and disposal remains broadly the same. Article 5 (1) (e) states that data should be

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;…”

What does this mean in practice?

In practice data retention can be automatic with little thought as to what is kept and for how long. It would be prudent to review your business’s position with regards data retention to ensure that the period for which it is retained is necessary and can be reasonably justified if required.

It will be reasonable to keep FCA regulated data for at least the retention periods required by the FCA. It will be reasonable to retain employee pay records for at least the period required by the HMRC for tax purposes. It will be reasonable to keep any documents related to a contract for at least six years from the date of the contract (and potentially the end of any finance period).

To Do

Going forward you should consider what types of data your business collects and the reason for its collection. You will then be able to set a Data Retention Policy that suits your business. Below is a non-exhaustive list of the types of scenarios where personal data will be captured

Type of Data

Retention Period


Application forms and notes of interviews

Personnel files

Pay Records

Medical records

Customers details provided for a quotation

Customers details provided for a service or sale

Customers details provided for marketing purposes


Accident/Injury Report


Data retention in itself has never been a priority for ICO enforcement, and this is likely to continue under the GDPR. However, retaining too much data for too long does increase the risks of a data breach. That said, businesses will require data for a number of reasons, not least defending themselves in legal disputes such PPI claims or contract disputes. A good Data Retention Policy will not only help reduce the risks of a breach, but also ensure that a business has sufficient information to defend itself and comply with its legal obligations.

Remember, as an RMI member you have access to the RMI legal advice line, as well as a number of industry experts for your assistance. Should you require further information in respect of the article above, contact the legal advice line at any stage for advice and assistance as appropriate.

Motor Industry Legal Services

Motor Industry Legal Services (MILS Solicitors) provides fully comprehensive legal advice and representation to UK motor retailers for one annual fee. It is the only law firm in the UK which specialises in motor law and motor trade law. MILS currently advises over 1,000 individual businesses within the sector as well as the Retail Motor Industry Federation (RMI) and its members.