Under the Data Protection Act 2018 and the UK’s implementation of the General Data Protection Regulation (UK GDPR), organisations have a clear obligation to delete personal data when it is no longer required for the purpose for which it was collected. Storage limitation is a core data protection principle, meaning personal data must not be kept indefinitely “just in case.”

Organisations should establish documented retention schedules that define how long different categories of data are kept, based on legal, regulatory, and operational requirements. Once the retention period expires, data must be securely deleted or anonymised.

Failure to comply can result in enforcement action from the Information Commissioner's Office, significant fines, and reputational damage.

The issue in many companies is understanding how what is detailed in the retention schedule (personal data register or record of processing activity) applies to the actual forms where personal data is collected and held.

To make this easier to manage the alphaZ documents forms for personal data (HR Form templates) feature an On-form Record Retention Summary which provides an overview of retention for the completed form or specific sections of the form so the user at the point of filing can see the retention for the form without having to consult the RoPA. This means administrative staff know when the data should be deleted and can act accordingly.

As well as this summary the forms are designed to make it easy to delete sections or organise content onto separate forms based on retention period.

Well designed documents can help ensure compliance!

Published: 21st December 2025