What does Article 5(1)(e) actually say?
The storage limitation principle sits at Article 5(1)(e) of UK GDPR. The text states that personal data shall be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed". That phrase, "no longer than is necessary", is the entire rule. There is no table of categories with prescribed timescales anywhere in the legislation.
The practical implication: you choose the retention period, but you must be able to justify it. The Information Commissioner's Office (ICO) expects controllers to define retention periods in writing, link each period to the stated purpose, and review the schedule at least annually. A marketing team that keeps its prospect database for five years because "we always have" will struggle to defend that position if challenged.
The word "necessary" does real work here. It does not mean "useful" or "might come in handy". The ICO interprets it as the minimum period required for the purpose to function. If your sales cycle averages 90 days and you target accounts once per quarter, a 36-month retention period for cold B2B prospects requires a strong justification. A 24-month period, where you make two annual outreach attempts, is far more defensible.
How does the storage limitation principle apply to B2B marketing data?
B2B prospect data sits on a lawful basis of legitimate interests under Article 6(1)(f). The retention window for that basis is tied to how long the legitimate interest genuinely subsists. Once the interest has lapsed (the contact has left the company, the role no longer exists, or the company has been wound up), continued storage needs a new justification.
In practice, 24 months from the last meaningful engagement is the figure that appears repeatedly in ICO enforcement correspondence and the DMA's own member guidance. "Meaningful engagement" means something more than a passive email delivery: a reply, a click, a meeting request, an inbound call, or a purchase all qualify. An unopened email probably does not, though reasonable people disagree on this edge case.
If you buy a B2B list from a data supplier, the clock starts from your first use of the record, not from when the supplier originally compiled it. A record sourced today and first contacted in September has its 24-month window starting in September, not from the compilation date.
What counts as engagement for the purposes of the retention clock?
The table below shows which events are generally accepted as resetting the engagement clock, and which are not. Your own legal team may take a different view on borderline cases; the important thing is to define your policy in writing rather than leaving it to individual marketing managers to decide.
| Event type | Resets engagement clock? | Notes |
|---|---|---|
| Email reply (any content) | Yes | Includes unsubscribe replies, which also trigger suppression |
| Click on a tracked link | Yes (broadly accepted) | Confirms an active individual behind the address |
| Phone call connected | Yes | Even a brief refusal to engage confirms the record is live |
| Purchase or order placed | Yes, strongly | Also triggers contract-performance basis for that order's data |
| Email opened (no click) | Contested | Apple Mail Privacy Protection inflates open rates; treat with caution |
| Email delivered (no open) | No | Delivery confirms a working inbox, not an interested human |
| Record added to CRM | Starts the initial clock only | Import date is the starting point, not a reset |
| Data refresh / re-verification | Yes, if documented | See section on data refreshes below |
How does retention work differently for B2C consent-based data?
Consumer data acquired through consent operates under a stricter constraint. The retention period must align with what individuals were told at the point of consent. If your consent statement said "we will keep your details for 12 months to send you relevant offers from our partners", you cannot hold those records for 36 months on the basis that your list is still commercially useful. The individual consented to a specific purpose and a specific duration.
When the consent period expires, you face a straightforward choice: re-contact the individual to obtain fresh consent before the original consent lapses, or delete the record. Quietly extending the period without telling the individual is a breach of the accuracy and storage limitation principles simultaneously.
Twelve to 24 months is the most common range cited in consumer data consent statements across the UK direct marketing industry. Consumer lifestyle data brokers (lifestyle questionnaire and prize-draw sources) typically refresh their files on a rolling 12-month consent cycle. This is partly legal hygiene and partly practical: a consumer's interests, household composition, and purchase behaviour change materially over two to three years, so an older record has declining commercial value anyway.
B2B vs B2C retention: a comparison
| Data type | Lawful basis | Typical retention period | Clock trigger | Key documentation requirement |
|---|---|---|---|---|
| B2B cold prospect (decision-maker) | Legitimate interests, Article 6(1)(f) | 24 months from last engagement | First contact attempt or last response | Legitimate Interests Assessment (LIA) naming the period |
| B2B warm lead (inbound enquiry) | Legitimate interests or contract | 36 months post last interaction | Date of enquiry or last follow-up | CRM activity log; LIA if still using LI basis |
| B2B existing customer | Contract plus legitimate interests for upsell | 6 years (financial records) / 24 months post-contract for marketing | Contract end date | Retention schedule cross-referenced with finance policy |
| B2C prospect (consent-based) | Consent, Article 6(1)(a) plus PECR | 12 to 24 months per consent statement | Date consent given | Consent record showing date, channel, and wording |
| B2C existing customer (email marketing) | Soft opt-in (PECR) or fresh consent | Until unsubscribe or 24 months post last purchase | Last purchase or marketing engagement | Unsubscribe audit trail; suppression file |
| Suppression file (opted-out contacts) | Legal obligation / legitimate interests in honouring opt-outs | Indefinite (minimum data: identifier and opt-out date) | Date of opt-out request | Process note showing suppression file is checked before every send |
How should you set and document a retention policy?
A retention policy for marketing data does not need to be 40 pages long, but it does need to be specific. Vague statements like "we keep data for a reasonable period" give regulators nothing to audit and give your team nothing to work from. Here is what the ICO expects to see.
Start with a data inventory. List every category of personal data your marketing function holds: CRM contacts, email subscribers, postal lists, event attendees, web enquiries, purchased lists. For each category, assign a retention period, name the lawful basis, identify the trigger event that starts the clock (import date, consent date, last purchase date), and specify the disposal method (deletion, anonymisation, or transfer to suppression file).
Set a review date. Annually is the minimum. Many organisations build a quarterly hygiene pass into their CRM workflow so that records approaching their retention deadline are flagged automatically rather than discovered during an ICO audit.
Publish a summary in your privacy notice. The ICO's own published guidance on retention (available at ico.org.uk) states that controllers should tell individuals how long their data will be kept, or the criteria used to determine that period. A privacy notice that says "we keep your contact details for up to 24 months from your last interaction with us, after which we delete or anonymise the record" is both legally compliant and commercially reassuring to prospects who read it.
For B2B prospecting under legitimate interests, your Legitimate Interests Assessment is the primary document. The retention period should be explicitly named in the LIA alongside the balancing test, so that the justification for keeping the data is tied to the justification for processing it in the first place.
What are your options when data reaches the end of its retention period?
Three paths exist: delete, anonymise, or move to a suppression file. Each has a different risk profile and a different operational cost.
Deletion
Full deletion removes all personal data fields from your systems and backups within a reasonable technical window (typically 30 days for backup purges). It is the cleanest outcome from a compliance perspective. The drawback is loss of historical campaign intelligence: if you delete a record that was contacted 20 times over two years with no response, you will not know to exclude that individual if they re-enter your list from a different source. That said, for B2C consumer records with no purchase history, deletion is usually the correct and simplest choice.
True anonymisation
Genuine anonymisation removes or irreversibly alters all fields that could re-identify an individual, including name, email, telephone, postal address, and any indirect identifiers. The ICO is explicit: anonymised data is no longer personal data and falls outside UK GDPR entirely. Pseudonymisation (replacing a name with a hash or a code) does not qualify, because the key still exists somewhere and re-identification is technically possible. If you want to keep aggregate campaign response statistics without retaining personal data, genuine anonymisation lets you do that.
Suppression files
A suppression file holds the minimum information needed to prevent re-contacting someone: typically an email address, a telephone number, or a postal identifier, plus the date of the opt-out. The ICO explicitly recognises that keeping a suppression record is not a breach of the storage limitation principle because the purpose of keeping it (honouring the opt-out) is different from and narrower than the original marketing purpose. Suppression files should be checked against every import and every send. In our experience, organisations that skip this step end up re-contacting opted-out individuals within 12 months when they buy a refreshed list from a supplier.
How do data refreshes affect the retention clock?
Refreshing a record (verifying that the contact details are still current and the individual is still in the same role) can legitimately reset the retention clock, provided you treat it as a new data-collection event and document it accordingly.
What this means in practice: when you re-verify a B2B record against a live public source such as Companies House or a corporate website, note the verification date and source in your CRM. The record's retention period then runs from that verification date, not from the original import date. You still need to ensure the lawful basis holds (the legitimate interest in marketing to this person must still exist), but the storage limitation clock legitimately restarts.
Bulk list refreshes from a data supplier work the same way. If you take a 12-month-old list of 10,000 contacts and pass it through a live verification service, the records that survive verification have a new effective date. Those that fail verification (bounced emails, disconnected numbers, departed individuals) should be deleted or suppressed, not retained in the hope they will become active again.
Guidance from the ICO on marketing data makes clear that keeping records "just in case" they become relevant again is not a valid purpose. The refresh process must be applied systematically, not selectively used to justify keeping records that would otherwise be past their retention date.
Common mistake: treating a purchased list as having a shared retention date
Some marketing teams import a purchased list of 5,000 contacts and apply a single shared retention date of "24 months from import". That is better than no policy at all, but it ignores the fact that individual records within that list may have been contacted at different times and engaged (or not) at different points. Best practice is to track engagement at record level so that the clock is running from the correct trigger event for each individual.
What does the ICO actually enforce?
The ICO's enforcement action on retention tends to appear as an aggravating factor in broader investigations rather than as a standalone cause. When the ICO investigates a data breach or a complaint about unsolicited marketing, finding that the controller was also holding data beyond a documented retention period strengthens the case for a higher penalty.
The ICO's published reprimands (available on the ICO enforcement register) regularly include findings that organisations "had no formal data retention policy in place" or "retained personal data for longer than necessary without adequate justification". Neither finding is likely to result in a fine on its own, but both increase the overall severity score under the ICO's penalty framework.
For marketing-specific enforcement, the ICO's 2023 direct marketing guidance set out plainly that retention policies must be specific, documented, and communicated to individuals. The guidance also confirmed that suppression files are both permitted and encouraged as a mechanism for honouring opt-out rights without destroying records that inform future compliance decisions.