It’s a common question – How long should we retain records? The answer depends on a whole range of things. The General Data Protection Regulation states that information should not be kept for longer than required. Sounds simple. But how long should you keep files? Accountancy records are 7 years but what about something like a display screen equipment assessment?
There is a judgement to be made around the files a business holds where there is no good practice to reference. Things to consider when that is the case. Would the person whose information you are holding consider the length of time reasonable? I once met an osteopath whilst networking. He told me he had patient records going back 20 years, despite people not necessarily returning to him during that period. I doubt anybody who had visited him 20 years ago would expect that their details were still being held. Under GDPR there is also a requirement to keep the information up to date, which wasn’t happening here either.
You also have an obligation to keep records securely for as long as they contain personal information so you need to make sure 
that you have processes in place to make sure the security is appropriate.
A client asked whether all records should be kept for the same period. The answer is no, each record will have a period that it should be retained for. All of your business records will not be retained for the same period.
Whatever the period you decide to keep records, you should create a retention schedule stating what your records will be retained for. If there is no best practice retention period available, then put the reasoning behind your retention decision into a document so that when you look back, you know how you arrived at that length of time.
By the way, display screen equipment assessments should be kept for between 40 and 60 years according to the latest guidance.