Data Retention Policy
Social Value Consultancy Ltd (registered in England & Wales, Company No. 11325322)
Policy owner: Data Protection Lead (with IT Lead)
Approved by: Managing Director
Version: 1.0
Last updated: 16 September 2025
Next review: 16 September 2026
Contact: info@socialvalueconsultancy.co.uk
1) Purpose & scope
This Schedule sets how long we keep information and how we dispose of it. It applies to all formats (digital and paper) and to all staff, contractors, and suppliers who process data for us. It supports our Privacy & UK GDPR Policy, Data Security & IT Policy, and legal obligations.
2) How to use this Schedule
- Find the category that matches the data you hold.
- Follow the retention period and trigger (when the clock starts).
- Dispose securely using the listed method unless a legal hold applies (e.g., investigation, dispute, audit).
- If a system cannot selectively delete data (e.g., in immutable backups), ensure data expires on backup rotation.
3) General rules
- Keep data no longer than necessary.
- If multiple rules apply, keep the longest applicable period.
- Document any deviations (who approved, why, and new review date).
- Apply legal holds immediately when instructed by the Data Protection Lead.
4) Retention schedule (master table)
Data category | Examples | Lawful basis (typical) | Retention period | Trigger (start of clock) | System/Owner | Disposal method |
Client records & contracts | SoWs, MSAs, NDAs, deliverables, approvals | Contract; Legal obligation; Legitimate interests | 6 years | Contract end / project closure | Contract repository / PM tools / SharePoint (Owner: Account Lead) | Secure delete; shred paper |
Project comms & support tickets | Emails, meeting notes, ticket threads | Contract; Legitimate interests | 3 years | Ticket/issue closure / project closure | Email, Teams/Slack, Helpdesk (Owner: Project Lead) | Secure delete |
Finance & accounting | Invoices, statements, bank recs, expense records | Legal obligation | 6 years after end of FY | Financial year end | Finance system (Owner: Finance Lead) | Secure delete; shred paper |
General enquiries & CRM leads | Contact forms, prospect lists, notes | Legitimate interests; Consent (where used) | 24 months from last meaningful contact | Last inbound/outbound interaction | CRM/Email (Owner: Sales/Marketing) | Secure delete; suppress opted-out contacts |
B2B marketing lists | Email lists, event follow-ups | Legitimate interests; Consent (where used) | Until opt-out or 24 months inactivity | Last interaction or consent date | Email platform/CRM (Owner: Marketing) | Remove; maintain suppression list indefinitely |
Events & webinars | Registration lists, attendee data | Contract; Legitimate interests; Consent | 24 months | Event end | Event platform / CRM (Owner: Marketing) | Secure delete |
Website analytics | Cookie IDs, page views, device data | Consent | 26 months (aggregated analytics); 12 months (raw logs) | Collection date | Analytics platform; Web logs (Owner: Marketing/IT) | Delete via platform settings; rotate logs |
Cookie consent records | Consent string, timestamp, preferences | Legal obligation | 24 months | Consent/change date | Consent manager (Owner: Marketing/IT) | Secure delete |
Security & access logs | Auth logs, admin actions, MFA events | Legitimate interests | 12 months | Log creation | Identity provider / SIEM (Owner: IT) | Log rotation; secure delete |
Vulnerability & pen-test reports | Scan results, fixes, pen-test reports | Legitimate interests | 3 years | Report date | Security tooling (Owner: IT) | Secure delete |
Incident & breach records | Incident reports, evidence, notifications | Legal obligation; Legitimate interests | 6 years | Incident closure | DPL/IT records (Owner: DPL/IT) | Secure delete; preserve legal hold where applicable |
Backups | System and data backups | Legitimate interests | 35 days rolling (default) | Backup creation | Backup system (Owner: IT) | Overwrite on rotation; no ad-hoc restore for deletion |
Suppliers & partners | Contracts, DPAs, due-diligence checks | Contract; Legal obligation | 6 years | Contract end | Vendor mgmt (Owner: Procurement/Finance) | Secure delete; shred paper |
Recruitment (unsuccessful) | CVs, notes, portfolios | Legitimate interests; Consent (where used) | 12 months | Decision date | ATS/HR inbox (Owner: HR/Hiring Manager) | Secure delete |
Personnel (employees/contractors) | Offer, ID, payroll, performance, training | Contract; Legal obligation | Up to 6 years after engagement ends (longer where law requires for specific records) | End of engagement | HRIS/Payroll (Owner: HR/Finance) | Secure delete; shred paper |
Training & awareness | Completion records, quiz results | Legitimate interests; Legal obligation (where applicable) | 3 years | Completion date | LMS/HRIS (Owner: HR/IT) | Secure delete |
DPIAs, LIAs & risk assessments | DPIAs, LIAs, TIAs | Legal obligation; Legitimate interests | 6 years after last use | Approval/last review | DPL records (Owner: DPL) | Secure delete |
Data subject requests | SARs, rectification, objections | Legal obligation | 3 years | Case closure | DPL records (Owner: DPL) | Secure delete |
Insurance & claims | Policies, claims files | Contract; Legitimate interests | 6 years after claim closure | Closure date | Finance/Legal (Owner: Finance/MD) | Secure delete |
Photos & comms assets (with consent) | Headshots, event photos, quotes | Consent; Legitimate interests | Until withdrawal of consent or 24 months from last use | Last use/withdrawal | DAM/SharePoint (Owner: Marketing) | Secure delete |
Product/dev artefacts (if applicable) | Repos, test data (pseudonymised) | Legitimate interests | 3 years | Version release / project end | Git/DevOps (Owner: IT/Engineering) | Secure delete; wipe secrets |