Data Retention Policy: What It Is and How to Set One Up

22 July 2025 By BOBcloud Team BOBcloud

What is a Data Retention Policy?

A data retention policy is a formal document that defines how long different types of data are kept, where they are stored, how they are protected, and when and how they are deleted. It applies to all data an organisation holds — emails, financial records, HR files, client data, system logs, and backups.

Without a policy, data tends to accumulate indefinitely. Staff keep everything because they are unsure what they can delete. Old systems hold data long after it is useful. And when a subject access request or legal hold arrives, nobody knows where anything is.

A well-constructed retention policy brings order to this. It also helps with compliance — GDPR, for example, requires that personal data is not kept longer than necessary for its original purpose.

Why Data Retention Matters

Legal and Regulatory Compliance

Different types of data have different legal minimum retention periods in the UK:

  • Financial records: 6 years (Companies Act 2006)
  • VAT records: 6 years (HMRC)
  • Employee records: typically 6 years after employment ends
  • Accident records: 3 years minimum (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations)
  • Medical records: varies significantly by context

GDPR adds a different dimension: personal data should not be retained longer than necessary. There is no single GDPR retention period — it depends on the purpose for which the data was collected. The ICO expects organisations to be able to justify their retention periods.

Risk Management

Keeping data indefinitely is not neutral from a risk perspective — it is actively risky. Data that is no longer needed is still subject to data breach risk. If you hold ten years of customer records that you have no legitimate reason to keep, and those records are compromised in a breach, the consequences are worse than if you had deleted them when they were no longer needed.

Storage Costs

Indefinite retention has a direct cost. For organisations using cloud storage or cloud backup, this manifests in storage bills that grow without bound. A retention policy that matches business and legal needs — and deletes what is no longer required — controls those costs.

What a Data Retention Policy Should Cover

A good retention policy should include:

Data categories: Define the types of data the organisation holds — financial records, HR records, client data, marketing data, system logs, backups, etc.

Retention periods: Specify how long each category is kept, with the legal or business justification for that period.

Storage locations: Where is each data type stored? On-premises servers, cloud storage, backup systems, email archives, paper files?

Access controls: Who can access each data type, and under what circumstances?

Deletion procedures: How is data deleted at the end of its retention period? For sensitive data, simple deletion may not be sufficient — secure deletion or physical destruction of media may be required.

Review schedule: Policies should be reviewed at least annually, and whenever there are significant changes to the business or regulatory environment.

Retention Policies and Backup

Backup and data retention interact in ways that organisations often underestimate. A backup is not exempt from retention requirements. If personal data should be deleted after three years, that deletion obligation extends to backup copies.

This means backup systems need to support granular retention — the ability to retain some data for longer periods (financial records) while applying shorter retention to others (general email correspondence). It also means that backup retention periods need to be thought about deliberately, not just left at whatever the default setting happens to be.

For MSPs managing backup on behalf of clients, this is worth raising explicitly. Many clients set backup retention once during onboarding and never review it. Helping clients align their backup retention with their data retention policy is a genuine value-add service.

Practical Steps for Setting Up a Retention Policy

  1. Audit what you hold: Before setting retention periods, understand what data you actually have, where it is, and why you have it.

  2. Identify legal requirements: For each data type, identify whether there is a statutory minimum retention period.

  3. Set business retention periods: For data without a legal minimum, set retention based on genuine business need.

  4. Document the policy: Write it down, get it approved by senior management, and make it accessible to all staff.

  5. Implement technically: Ensure that systems — including backup systems — are configured to enforce the policy.

  6. Train staff: Retention policies only work if staff understand them and follow them.

  7. Review regularly: Business needs and regulations change. The policy should be reviewed at least annually.

BOBcloud's backup platform supports flexible retention settings, allowing MSPs to configure retention at a granular level for each client and backup set. Find out more about our MSP backup platform.