Guide
How to Create a GDPR-Compliant Document Retention Schedule
A retention schedule is a document that lists each type of record your business holds, the legal basis for holding it, how long to keep it, and what to do when that period expires. It's one of the practical tools covered in our document management GDPR compliance guide.
Why You Need a Written Retention Schedule
UK GDPR Article 30 requires data controllers to maintain a Record of Processing Activities (ROPA). A retention schedule is the document management component of your ROPA — it demonstrates that you've thought about what personal data you hold, why, and for how long. Without a written schedule, you have no defence if the ICO asks how you manage data retention.
Practically, a retention schedule gives every member of staff a clear answer to "how long do we keep this?" — removing guesswork and the tendency to keep everything indefinitely because nobody wants to be responsible for disposing of something they might need later.
Step 1 — Inventory Your Documents
List every category of document your business creates, receives, or stores. Don't work at the individual document level — work at the category level. Examples:
- Customer contracts
- Supplier invoices
- Employee personnel files
- Payroll records
- Health and safety risk assessments
- Marketing consent records
- CCTV footage
- Job applications (successful and unsuccessful)
For each category, note: does it contain personal data? If yes, whose personal data (employees, customers, suppliers, visitors)?
Step 2 — Identify the Legal Basis and Purpose
For each document category containing personal data, identify: the lawful basis for processing (contract, legal obligation, legitimate interests), and the business or legal purpose for keeping it. This is what justifies the retention period. The period should be the minimum necessary to fulfil that purpose — not longer.
Step 3 — Set the Retention Period
Use the legal requirements as your starting point (HMRC, employment law, sector regulations) and set retention at the required minimum. Don't exceed the legal minimum without a documented business reason. Common UK periods:
- Financial records: 6 years (HMRC)
- Employment records: 6 years after employment ends
- Contracts: 6 years after expiry (12 for deeds)
- CCTV: 31 days maximum (ICO guidance)
- Unsuccessful job applications: 6 months
- Marketing consent records: Until consent withdrawn + 1 year
Step 4 — Define the Disposal Action
For each document type, define what happens at the end of the retention period:
- Permanent deletion: Digital deletion + audit log; physical shredding
- Review and decide: Assess whether there's an ongoing business need before deletion (useful for contracts where litigation is possible)
- Archive: Move to cold storage for a further defined period before final deletion
- Transfer: Transfer to another organisation that takes responsibility (e.g. demerged business)
Retention Schedule Template
| Document Type | Personal Data? | Lawful Basis | Retention Period | Trigger | Disposal Action |
|---|---|---|---|---|---|
| Customer contracts | Yes | Contract | 6 years | Contract end date | Secure deletion |
| Employee personnel files | Yes | Legal obligation | 6 years | Employment end date | Secure deletion |
| Supplier invoices | Limited | Legal obligation | 6 years | Financial year end | Secure deletion |
| Job applications (unsuccessful) | Yes | Legitimate interest | 6 months | Decision date | Secure deletion |
| CCTV footage | Yes | Legitimate interest | 31 days | Recording date | Auto-overwrite |
Step 5 — Implement in Your DMS
Once your schedule is written, configure retention labels in your DMS to match. Each document type gets a label with the retention period and disposal action. Documents scanned into the system are automatically labelled at point of filing. The DMS handles the rest: flagging for review at expiry, or auto-deleting according to the schedule.
Step 6 — Review Annually
Retention requirements change — HMRC guidance updates, sector regulations change, business activities evolve. Review and update your retention schedule at least annually. Document the review date and any changes made.
Implement your retention schedule in a DMS
Compare DMS platforms with retention label and automated disposal features.
Compare DMS Systems →GDPR Compliance Guide →