The Best GDPR Data Retention Advice for Financial Services

Floppy disk with customer data

Last Updated on 8 June 2023 by admin

Dealing with GDPR and data retention in the financial services industry presents a number of obstacles that must be solved.

Businesses are required to retain personal data on a regular basis and conform to ever-changing data retention laws. It’s critical to comprehend the regulations governing data retention periods and the significance of sensitive data.

We answer common questions regarding GDPR data retention issues and describe what improvements to expect in this blog article.

What does the GDPR say about data retention?

According to GDPR, all data must be retained only for as long as it is useful and in a manner that is easily accessible to the data owner.

Many organizations have discovered that adhering to a specified data retention policy is critical to remaining GDPR compliant. It’s worth noting that data retention isn’t just for GDPR. Data retention is, first and foremost, a legal concern. It must be stated expressly in any firm data retention policy, or the problem could be misconstrued as a data breach.

In regard to the specific question of GDPR data retention, the ICO states in their blog post “We do not expect organizations to have a policy of withholding data, especially if it is not necessary for the business. However, organizations must comply with the legal requirement to keep data for specified periods if they are required to keep it by law.

How will GDPR and data retention in financial services change in post-Brexit 2022?

Despite the arrival of 2022, there is still some uncertainty surrounding the personal data flow between Europe and Britain. Processing personal data is now more important than ever.

As the GDPR data retention policy doesn’t tell you precisely what you need to do for data retention, or retention periods, you will need to:

  1. Make judgment calls on how long you should hold the data for
  2. Get into the position where you could prove to the regulator – the ICO in the UK – that you have grounds to hold and/or process the data
  3. Plan how the data will be used by

How do I know what data can and can’t be stored?

To begin, you must demonstrate that the data you store is for lawful purposes, with the law taking precedence.

There will be times when you acquire and use data that is not regulated by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA). Personal data used for marketing purposes, for example.

In most cases, you can only use and store data for as long as it is necessary and if you have authorization to do so. Personal data cannot be kept indefinitely and should only be kept in a form that allows the user to be identified for as long as is necessary.

How long is reasonable to retain personal data according to data retention policies?

HMRC state that you should keep employee information for three years from the end of the tax year they relate to.

You can sometimes overcome certain deadlines when it comes to data subjects if it is for scientific, historical research purposes or public interest. It’s important to note that there are no rules when it comes to storage limitations.

For your customers’ financial records, the FCA handbook states different retention requirements depending on the type of data that you keep – see SYSC Sch 1 Record keeping requirements – these can be anywhere between three to ten years.

The general rule of thumb is to prove that you can legally store and process the data. Identify the type of data you process and hold, along with the purpose of keeping it.

How should backups and archives be treated?

Firstly, as the data controller, you must ensure that your live systems process and store only the data that is necessary for your organisation. The data subject – the individual – has given you permission to process and store it.

Backups should be done on a regular basis, and you should know what is being backed up and for how long those backups are stored.

We propose separating backups based on the type of data being backed up or the system from which the data originates.

The backups can then be erased using a sliding window that is based on how old the data is. For example, backup data over five years old for financial data and three years or more for personnel data should be immediately deleted. The data can then be dealt with when it approaches the end of its retention period.

Backup and archive systems should be designed to respect the right to erasure of data subjects. In practise, achieving this in backup systems that aren’t designed to sift through systems seeking for particular information is quite challenging. As a result, a more practical strategy is required.

Was advice from the ICO and FCA at odds?

ICO and FCA worked together to make sure that GDPR and the FCA Handbook complimented each other[1]. The FCA says that their requirements apply to GDPR. Under the right to be forgotten principle, GDPR states that personal data can be kept with legal obligations:

For compliance with a legal obligation which requires the processing of personal data by Union or Member State law to which the controller is subject. This means GDPR gives way to laws you need to abide by in your country. Therefore, in the UK, the FCAs – and Prudential Regulation Authority’s – rules would need to be complied with.

And don’t forget HMRC rules for employee data. These state that employers can only keep the following data about their employees without their permission:

  • Name
  • Address
  • Date of birth
  • Sex
  • Education and qualifications
  • Work experience
  • National Insurance number
  • Tax code
  • Emergency contact details
  • Employment history with the organization
  • Employment terms and conditions – eg pay, hours of work, holidays, benefits, absence
  • Any accidents connected with work
  • Any training taken
  • Any disciplinary action

For full information, take a look at the HMRC website[2].

Practical steps that you can take to be GDPR compliant

  1. Understand where and what the data you store/process is
  2. Create a data retention policy that clearly states how long each type of data can be held for
  3. Create procedures for backing up the data. Ideally segregating the backups and implement automatic erasure procedures that can delete data after a specified time resulting in complying with your data retention policy
  4. Ensure that all backups are secured – encrypted and access granted to specific staff
  5. If individual records cannot be accessed for deletion, ensure that archiving is used where access is very limited

Privacy is changing and laws are strengthening to put the control of individuals’ data back in their hands. GDPR has outlined these rights and the right to be forgotten is one of those principles that is very difficult to achieve practically.

There will never be a perfect solution that fits all organizations, but adhering to the GDPR and data retention policies and principles can be accomplished by being practical and pragmatic.




Data protection is a top priority for all organizations. Adhering to GDPR and data retention are just two of the many challenges that will arise. However, these are not insurmountable. With the right strategy and planning, these challenges can be overcome.