Data Retention Policy
Document Purpose
This document outlines the Exposure Analytics Data Retention Policy and pertains to User Data on all systems in use,
why the data is being stored, what our Retention Schedule is, when we audit our data and the right to erase data.
Data Retention Policy
The Purpose:Clearly define why the data is being stored.
A Retention Schedule:A clear list outlining the specific retention periods for different categories of data (e.g., HR files, financial records, marketing databases).
Regular Audits:Scheduled reviews to identify and securely destroy or archive records that have reached the end of their retention period.
Right to Erasure:A documented process to handle individual requests to delete personal data under the right to be forgotten.
Purpose
Exposure Analytics is committed to processing personal data lawfully, fairly, and transparently in accordance with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
- General Data Protection Regulation (EU GDPR), where applicable
- Applicable contractual and regulatory obligations
This Data Retention Policy establishes the rules for retaining, reviewing, archiving, and securely disposing of personal data
and other business records to ensure data is not kept longer than necessary.
Scope
This policy applies to:
- All employees, contractors, consultants, and third-party service providers
- All personal data processed by Exposure Analytics
- Data stored in:
-
- internal systems
- Cloud platforms
- Databases
- Email systems
- CRM systems
- Analytics platforms
- Backup systems
- Physical records
Principles
Exposure Analytics will ensure that:
- Personal data is retained only for legitimate business, legal, contractual, or regulatory purposes.
- Retention periods are documented and reviewed regularly.
- Data that is no longer required is securely deleted or anonymised.
- Archived data is protected with appropriate security controls.
- Retention decisions are consistent across the organisation.
- Data subjects' rights under UK GDPR are respected.
Legal Basis
Under Article 5(1)(e) UK GDPR, personal data must be:
"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."
"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."
Exposure Analytics shall determine retention periods based on:
- Statutory obligations
- Regulatory requirements
- Contractual commitments
- Business necessity
- Limitation periods for legal claims
Retention Schedule
Customer and Client Data
| Data Type | Retention Period | Justification |
|---|---|---|
| Customer account records | Duration of contract + 6 years | Contractual and legal claims |
| Customer contact details | Duration of relationship + 2 years | Business continuity and customer support |
| Client project records | Contract end + 6 years | Legal and contractual obligations |
| Client reports and deliverables | Contract end + 6 years | Business records and legal defence |
Marketing Data
| Data Type | Retention Period | Justification |
|---|---|---|
| Marketing mailing lists | Until consent withdrawn or 24 months inactivity | Consent management |
| Newsletter subscriptions | Until unsubscribe | Consent |
| Website enquiry forms | 24 months | Follow-up opportunities |
| Marketing campaign analytics | 36 months | Business analysis |
Website and Analytics Data
| Data Type | Retention Period | Justification |
|---|---|---|
| Website logs | 12 months | Security and troubleshooting |
| Security logs | 12 months | Cybersecurity monitoring |
| Cookie consent records | 6 years | Regulatory compliance |
| Analytics data (anonymised) | Indefinite | Statistical purposes |
| Analytics data (identifiable) | 26 months maximum | Data minimisation |
Employee Data
| Data Type | Retention Period | Justification |
|---|---|---|
| Personnel files | Employment end + 6 years | Employment law claims |
| Personnel Sensitive Data (License, Passport) | Employment end + 2 years | Statutory requirements |
| Payroll records | 6 years after tax year end | HMRC requirements |
| Pension records | Up to 12 years after benefits end | Pension regulations |
| Right-to-work documentation | Employment end + 2 years | Immigration compliance |
| Performance reviews | Employment end + 6 years | Employment disputes |
| Recruitment records (unsuccessful candidates) | 12 months | Recruitment defence |
| Training records | Employment end + 6 years | Compliance evidence |
Financial and Corporate Records
| Data Type | Retention Period | Justification |
|---|---|---|
| Accounting records | 6 years | Companies Act and HMRC |
| VAT records | 6 years | HMRC requirements |
| Tax documentation | 6 years | HMRC requirements |
| Contracts and agreements | Contract end + 6 years | Legal claims |
| Insurance records | Policy end + 6 years | Legal requirements |
Supplier and Vendor Data
| Data Type | Retention Period | Justification |
|---|---|---|
| Supplier contracts | Contract end + 6 years | Contractual obligations |
| Supplier contact records | Contract end + 2 years | Business continuity |
| Procurement records | 6 years | Financial and audit requirements |
Special Category Data
Where Exposure Analytics processes Special Category Data under Article 9 UK GDPR:
- Retention periods shall be the minimum necessary.
- Access shall be restricted to authorised personnel only.
- Additional security measures shall be applied.
- Data shall be securely deleted once the lawful purpose expires.
Examples include:
- Health information
- Diversity and equality monitoring information
- Biometric information (if applicable)
Data Subject Rights
Individuals may exercise rights including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to object
- Right to data portability
Retention obligations may override erasure requests where legal or regulatory requirements exist.
Data Archiving
Where records remain necessary but are no longer actively used:
- Data may be archived.
- Access must be restricted.
- Archived data shall remain subject to this policy.
- Archived records shall be reviewed annually.
Secure Deletion and Disposal
When retention periods expire:
Electronic Records
Exposure Analytics shall:
- Permanently delete records from production systems.
- Remove records from active databases.
- Ensure deletion from cloud platforms where feasible.
- Follow NCSC and ICO guidance for secure disposal.
Physical Records
Exposure Analytics shall:
- Shred documents using cross-cut shredding.
- Use certified confidential waste providers where appropriate.
Backups
Backup systems may contain personal data.
Exposure Analytics shall:
- Maintain backup retention schedules appropriate to business continuity needs.
- Limit retention of backups wherever technically feasible.
- Ensure expired data is removed from restored environments.
- Prevent backups from becoming a means of indefinite storage.
Standard Backup Retention
| Backup Type | Retention |
|---|---|
| Daily backups | 30 days |
| Weekly backups | 12 weeks |
| Monthly backups | 12 months |
Legal Holds
Where litigation, regulatory investigations, or audits are ongoing:
- Normal deletion schedules shall be suspended.
- Relevant records shall be preserved.
- The DPO or designated officer shall authorise release of legal holds.
Roles and Responsibilities
Management
- Ensure compliance within their departments.
- Approve retention requirements.
Employees
- Follow this policy.
- Report retention concerns.
IT Department
- Implement deletion and archiving controls.
- Maintain secure disposal processes.
Data Protection Officer (or Appointed Privacy Lead)
- Monitor compliance.
- Conduct periodic reviews.
- Maintain retention schedules.
Monitoring and Review
Exposure Analytics shall:
- Review this policy annually.
- Conduct periodic audits of retained data.
- Update retention schedules when legal requirements change.
Non-compliance may result in disciplinary action and, where appropriate, reporting to regulators.
Note:
If Exposure Analytics processes advertising data, audience measurement data, customer behavioural analytics, or platform-derived datasets
as part of its analytics services, a separate Data Processing & Retention Standard should be maintained to define dataset-specific retention
periods, anonymisation requirements, and deletion workflows for client-facing analytics projects.
Exposure Analytics, Unit 111, Victory Business Centre, Somers Road North, Portsmouth, Hampshire, PO1 1PJ
Registered Company Number - 08818692
VAT Number - 177 3468 72