This blog from Aaron Johnson, ICO Lead Policy Officer, is part of the Information Commissioner's Office (ICO) Data Fundamentals Series 2026. This blog takes a closer look at the rules around how long you should be holding onto personal data, and some steps that you can take to ensure compliance.
As we step into 2026 and start thinking about the good habits we want to build, there’s one area that’s worth getting right from the start: data retention. The results of our sector survey from last year showed that many charities and voluntary groups aren’t sure how long to keep personal data for. Our Data Fundamentals series is here to help, so let’s have a closer look at the rules around how long you should be holding onto personal data, and some steps that you can take to ensure compliance.
Under data protection law, there’s no universal rule for how long organisations should keep personal data. Organisations should only retain the minimum information necessary for their purposes, and only for as long as it’s genuinely needed. You must be able to document and justify these decisions. When you no longer need the data, it must be securely destroyed, deleted, or anonymised.
Practical steps
For charities and voluntary organisations, this can feel like a grey area, so here are some practical steps you can take to ensure compliance, reduce risk, and build trust:
Know what you hold and why
Start by mapping out the types of personal data you collect. Different types of data can be held for different amounts of time, so whether it’s for volunteers, service users, employees, donors, beneficiaries, or event attendees. Be clear about the purpose behind the data that you hold and make sure you are not holding it ‘just in case’.Set retention periods
There are many things to consider when setting your retention periods. You may find that there are legal or regulatory requirements for keeping personal data for a set amount of time. There may also be retention standards recommended as best practice within your sector that you can apply. Referring to your original purpose for processing may be helpful in deciding if you still need to hold the data.Just because your relationship ends with an individual doesn’t mean you need to delete their information immediately. There may be a business reason to retain their data for a defined period afterwards. For example, you may keep employees’ files only until the time limit for bringing a legal claim has passed. Volunteer records can be retained long enough to manage references or confirm volunteering history. Donor contact details may be held for a short period to support appropriate re‑engagement.
Setting retention periods doesn’t need to be complicated; a straightforward retention policy can dramatically reduce your workload and ease uncertainty. You should include the relevant retention periods in your privacy notice and make sure staff and volunteers who handle personal data are aware of them.
- Review regularly
Build in regular reviews of your data and retention periods. You could set simple reminders on your calendar or internal systems prompting staff to ask: is this information still needed? Are we keeping more than is necessary? If you no longer need the information, you must securely destroy, delete or anonymise it.
Why it matters
Adhering to a strong data retention policy does more than keep you organised. It helps you comply when individuals exercise their data rights, such as responding to subject access requests or requests for erasure. You will know exactly what data you hold, why you hold it, and won't have to trawl through years of unnecessary paperwork to find it.
For charities and voluntary organisations, data protection isn’t just a compliance obligation. It’s a way to demonstrate to your service users, donors, volunteers and employees that you take their privacy seriously and want to do all you can to protect their personal information.
By adopting simple, proactive data retention habits now, you can save time, reduce risk, and enhance the trust that people place in your organisation into 2026 and beyond!
More resources
For more information on our Data Fundamentals series, see our launch post on what you can expect from us over the coming months.
If you have any further questions about data retention or anything data protection related, please visit our website, where you will find guidance specifically for charities and other small-to-medium-sized organisations. Here you can use our easy self-serve tools to get answers to your questions and generate tailored advice or read our helpful bitesize guidance and tips.
