For UK small businesses, determining the optimal retention period for customer data is a complex issue, as there is no single fixed duration under UK GDPR.
The storage limitation principle of UK GDPR is clear in its direction, but silent on specifics. It instructs organisations to hold personal data no longer than necessary, without providing a clear definition of "necessary" for any given category. As a result, every small business must develop a documented retention policy that outlines, category by category, the purpose for which data is kept and when it will be deleted or anonymised.
Standard business records, such as invoices, contracts, and VAT-related documents, typically need to be retained for six or seven years under tax and accounting rules. However, consumer-facing records require a separate approach. Inactive customer accounts, expired marketing leads, and closed support tickets should be reviewed and deleted once they no longer serve a clear, documented purpose. Without this discipline, data accumulates, increasing the risk of data breaches.
Not all consumer data deserves the same retention window. Payment and financial records carry longer obligations due to tax law and potential disputes. Marketing consent records should be kept long enough to demonstrate compliance with relevant regulations, but deleted when consent lapses. Special category data, which includes health, biometric, and certain demographic information, requires a higher standard of justification for retention and tighter access controls throughout its life.
Digital-native businesses, including online platforms and subscription services, face growing user expectations around data minimisation. Sectors that have developed strong frameworks around user transparency offer useful benchmarks, such as fintech apps, healthtech platforms, and iGaming services like betting in the UK without registration. These sectors have been pushed by regulation to minimise data collected upfront, reshaping how compliance pressure translates into practical data handling across industries.
A category-by-category approach rather than a blanket policy is now widely regarded as best practice for UK organisations. This approach allows businesses to tailor their retention policies to their specific needs and ensure compliance with relevant regulations.
Sector-specific rules complicate matters for businesses that assume general GDPR guidance is enough. Healthcare providers may need to retain patient-adjacent records for years beyond what a standard retail business would ever consider. Financial services firms operating under FCA supervision and anti-money-laundering regulations face their own mandatory minimums that override what GDPR alone would suggest. Payroll and HR outsourcing firms sit in similarly complex territory.
The Data (Use and Access) Act 2025 has begun updating and formalising parts of the UK GDPR framework. This Act has put some ICO guidance points onto a firmer statutory footing, including proportionality expectations around subject access requests. For sector-specific SMBs, this means the compliance baseline is now slightly higher than it was a year ago.
The first practical step for small businesses is to build a data map – a clear record of what personal data the business holds, where it sits, why it was collected, and how long it will be kept. Without this foundation, it is impossible to enforce a retention schedule or respond credibly to a subject access request or complaint. This can be achieved with a well-maintained spreadsheet.
The financial case for action is compelling. The average cost of a data breach for a UK SME reached £6,400 last year, according to the Government's Cyber Security Breaches Survey. Holding unnecessary data directly inflates that risk. Small businesses that set firm deletion or anonymisation dates, review their retention schedules annually, and document their reasoning are not just meeting legal requirements – they are actively reducing their exposure to a cost that can be genuinely damaging at small-business scale.