GDPR Made Clear: Storage Limitation

November 12th 2025

GDPR Storage Limitation for Cultural Organisations

The GDPR storage limitation principle is clear: don’t keep personal data for longer than you need it. But in cultural organisations, retention often happens by default. Emails pile up, chats are archived, and shared folders grow quietly in the background. Without clear boundaries, that “just in case” mindset can create serious risk. Under UK GDPR you must:

  • Know what personal data you hold and why
  • Justify how long you keep it
  • Review it regularly
  • Erase or anonymise it when it’s no longer needed

This isn’t just about ticking a compliance box – it’s about protecting your organisation from operational strain, reputational damage, and unnecessary cost.

Why Does Retention Matter?

The more personal data you keep, the more you expose your organisation to risk. That includes:

Subject Access Requests (SARs)

Under UK GDPR, anyone can request a copy of the personal data you hold about them – and you must respond within one calendar month. That includes searching emails, Teams chats, shared documents, personnel files, and any other places their data may be stored. Once the searches are complete, you must redact any information about other people – to protect their privacy – before sharing.

Cybersecurity Threats

If your systems are compromised, every unnecessary item you’ve kept becomes part of the breach.

Operational Overload

Searching, reviewing, and redacting old data takes time – and that time comes straight out of your team’s day jobs.

Digital Storage Strain

Many cultural organisations are already at capacity. Clearing out unnecessary data can free up space, reduce costs, and support environmental sustainability.

Sector Reality: Where Volume Creeps In

I occasionally support organisations through the SARs process – and every case I’ve handled has come from a current or former member of staff, not the public.

Personnel files are rarely the issue; they’re structured, well-managed, and (hopefully) retained in line with policy. The real exposure lies in emails, chats, and messages. These are often kept indefinitely, with no clear retention rules or automated deletion in place.

One SAR I worked on surfaced over 40,000 items, requiring costly external redaction support, that hadn’t been budgeted for. Another produced 3,000 items and was dealt with internally, with redaction taking 75 hours of staff time. Only one organisation I work with has automated retention processes in place – three years for emails, 18 months for chats. They gave staff notice and time to save anything essential before bulk deleting anything older than the retention period. Without that kind of system in place, even a routine SAR can become a major operational event.

What Does Good Practice Look Like?

Hopefully all the processing you do is listed in your Record of Processing Activity (RoPA), along with a defined retention period and action – but if you want to demonstrate real accountability, you’ll also record when that retention action was actually completed. Too often, retention periods are defined but never acted on – and without deletion, the risk and workload just keep growing.

  • Set standard retention periods for different data types
  • Build review points into your processes
  • Delete or anonymise data when it’s no longer needed
  • Digitise paper records then shred and securely dispose of
  • Document your decisions and be ready to justify them
  • Train staff to understand why retention matters – not just legally, but operationally

If you’re holding data offline or in archived systems, you still need to justify why. And if someone asks for their data, you’ll need to retrieve and redact it – no matter how old or obscure.

Final Thoughts

Storage limitation isn’t about deleting everything – it’s about knowing what you’re keeping and why. For cultural organisations, that means setting boundaries around everyday communication data, not just formal records. Because when a SAR lands or a breach occurs, “just in case” becomes “just exposed.”

What’s Next?

Next in our GDPR principles series is Integrity and Confidentiality, often referred to as the security principle. This principle is all about protecting personal data from unauthorised access, accidental loss, or destruction. We’ll explore what the UK GDPR requires in terms of security measures, risk management, and how to build a resilient data protection strategy.

Get In Touch

If you’re a cultural organisation looking for tailored support, plain English policies, or practical training that empowers your team, we’d love to help. Get in touch for a free 30-minute consultation.

Leave a Reply