You must not retain personal data for 'longer than necessary'
This is one of the 7 principles of the UK GDPR.
You’ll need to work out what ‘necessary’ means for the personal data you hold. Consider why you need to keep any pieces of personal data, and make sure you’re able to justify the decision you take. And remember that some types of data must be kept for a specific amount of time.
Make sure staff know what they can and cannot keep
Data protection is the responsibility of all staff. Download our UK GDPR cheat sheet to help staff understand what they need to know, and display our UK GDPR posters in staff rooms and offices to make sure everyone is informed.
Be clear on statutory retention periods
See pages 66 to