You must not retain personal data for 'longer than necessary'
This is one of the 7 principles of the UK General Data Protection Regulation (UK GDPR).
You’ll need to work out what ‘necessary’ means for the personal data you hold. Consider why you need to keep any pieces of personal data, and make sure you’re able to justify the decision you take.
To help you decide, read more about how to identify the 'lawful basis' for processing personal data.
Establish your own retention schedule
Use our template information asset register (IAR) to keep track of all the data you hold and how long you plan to keep it.
Alternatively, you can include your retention schedule in a data retention policy. See examples from schools