UK data retention policy for CRM (HubSpot, Salesforce, Pipedrive)

What a CRM data retention policy is (and why UK B2B teams need one)

A CRM data retention policy is a written set of rules that defines what customer and prospect data you keep in your CRM, how long you keep it, where it’s stored, and how it’s securely deleted or anonymised when it’s no longer needed. For UK B2B teams, it turns day-to-day habits (saving emails, logging calls, importing lists, syncing marketing tools) into a consistent, auditable process—so the CRM stays useful rather than becoming a “data attic”.

In practice, a good policy covers:

• Data categories (e.g., leads, customers, suppliers, former employees, support tickets, deal notes, call recordings).
• Retention periods tied to a clear purpose (sales pipeline management, account servicing, reporting) rather than “just in case”.
• Triggers that start the clock (last activity date, contract end date, closed-lost date, unsubscribe).
• Actions (delete, anonymise, restrict access, archive outside the CRM) and who approves them.
• System controls (automation rules, field-level permissions, audit logs, backup retention, vendor integrations).

UK B2B teams need this because CRM data grows fast and spreads across tools. Without clear retention rules, you risk keeping outdated contacts, duplicating records, and storing unnecessary personal data in notes and attachments. A policy helps sales and marketing work from cleaner data, improves reporting accuracy, reduces storage and admin overhead, and supports consistent handling of requests like “remove my details” across the CRM and connected platforms.

What CRM data you’re holding: contacts, leads, customers, notes, emails, calls and attachments

A UK CRM typically stores a mix of personal data (and sometimes special category data) across multiple fields and files. Mapping what you hold is the first step to setting sensible retention periods and deletion rules.

• Contacts: names, job titles, work emails, phone numbers, company details, preferences and consent/opt-in history. Retention often depends on whether there’s an ongoing relationship or a clear business need.
• Leads: enquiry forms, website source, campaign tags, sales stage and qualification notes. If a lead goes cold, many organisations set a shorter retention window and either delete or anonymise.
• Customers: account records, contract start/end dates, support history and renewal dates. These records may need to be kept longer for operational reasons and to evidence transactions, but should still be reviewed regularly.
• Notes and tasks: free-text meeting notes, call summaries and internal comments. These can unintentionally include sensitive details, so consider tighter access controls and shorter retention.
• Emails and call logs/recordings: email content, timestamps, participants, and where enabled, call recordings and transcripts. Keep only what you need (for example, for service quality or dispute handling) and document why.
• Attachments: proposals, IDs, invoices, screenshots and documents synced from email. Attachments are easy to forget, so apply the same retention rules as the parent record and ensure deletion removes the file too.

For UK GDPR alignment, record the purpose and lawful basis for each category, set review dates, and ensure your CRM can delete, anonymise, export and audit changes consistently across these data types.

How to choose retention periods in the UK: practical rules of thumb (without legal jargon)

Start by listing the types of CRM data you hold (leads, customers, suppliers, support tickets, marketing preferences, notes, call recordings) and assigning each a “why we keep it” reason. A simple rule: keep data only for as long as it’s genuinely useful for that purpose, then delete or anonymise it.

Use event-based timers rather than “X years from collection”. Examples that work well in CRMs:

• Unconverted leads: delete or anonymise after 6–18 months of no activity (shorter if you have high lead volume or rapid sales cycles).
• Active customers: keep core contact and contract-related history while the relationship is active, then start a clock from the last interaction or contract end.
• Inactive customers: consider 2–6 years after last meaningful contact for account history you may need for service continuity, reporting, or handling queries.
• Support cases: 1–3 years after closure is often enough for trend analysis and repeat issues; keep longer only if you can justify it.
• Marketing consent/preferences: keep while you market to the person, plus a short “suppression” period (e.g., 2–6 years) to remember opt-outs and avoid re-contacting.

Minimise what you keep: store “notes” carefully (avoid sensitive details), separate attachments from contact records, and redact where possible. If you need analytics, prefer aggregated reports over identifiable records. Finally, match retention to your CRM controls: automate deletion/anonymisation, set review reminders, and document the chosen periods in plain English so staff apply them consistently.

A simple UK CRM data retention policy template (copy/paste)

Purpose: This policy sets out how [Company Name] retains and deletes personal data held in its CRM, to support customer relationships while keeping data accurate, minimal and secure.

Scope: Applies to all CRM records for leads, customers, suppliers and contacts, including notes, emails, call logs, attachments and marketing preferences.

Lawful basis & principles: We keep CRM data only where we have a valid reason (e.g., contract, legitimate interests, consent) and review it regularly to ensure it remains necessary, accurate and up to date.

Retention schedule (default):

• Active customers: kept while the account is active, then reviewed [X] months after last interaction.
• Former customers: retain core contact and transaction summary for [X] years after contract end; delete or anonymise detailed notes and non-essential fields after [X] months.
• Sales leads (no purchase): delete or anonymise after [6/12/18] months of inactivity unless the contact opts in to marketing.
• Marketing consent & preferences: keep while subscribed; keep suppression/opt-out record for [X] years to respect choices.
• Support tickets/case notes: retain for [X] years from closure, then delete or anonymise.

Deletion & anonymisation: We delete records from the CRM and connected tools (email sync, marketing platform) where feasible. If full deletion is not possible, we anonymise identifiers and restrict access.

Reviews & ownership: [Role/Team] runs a monthly/quarterly inactivity report, applies the schedule, and logs actions in [Retention Log Location]. Exceptions require approval by [Role] and a documented reason.

Security: Access is role-based, exports are controlled, and backups follow a separate backup retention standard.

Build your retention schedule: map data types to purpose, owner, system and deletion trigger

Create a simple retention schedule table for your CRM that answers five questions for every data type: what it is, why you keep it, who owns it, where it lives, and what makes it safe to delete. Start by listing the data types you hold in the CRM (for example: leads, customers, contact notes, email history, call recordings, support tickets, marketing preferences, and suppression lists). For each row, write a clear purpose in plain English (e.g., “respond to enquiries,” “deliver contracted services,” “handle complaints,” “send opted-in marketing”). Avoid vague purposes like “business use.”

Next, assign an owner: a named role (Sales Ops, Marketing Manager, Customer Support Lead, DPO/Privacy Lead) responsible for accuracy and timely deletion. Then record the system of record and any copies: CRM, email platform, ticketing tool, call recording system, data warehouse, backups, and exports. This prevents “deleted in CRM, retained elsewhere” gaps.

Finally, define a deletion trigger that staff can apply consistently. Use event-based rules rather than fixed dates where possible: “X months after last meaningful contact,” “X years after contract end,” “after complaint closed + X months,” “immediately on consent withdrawal (except suppression list),” or “after unsuccessful lead + X months.” Include an exception column for legal holds (e.g., ongoing disputes) and a method column (auto-delete rule, scheduled job, manual review queue). Keep the schedule aligned to UK GDPR principles: keep only what you need, for as long as you need it, and document the reasoning.

How to implement retention in HubSpot: lifecycle rules, lists, workflows, deletion and exports

Start by translating your UK retention policy into clear, record-level rules: what you keep (contacts, companies, deals, tickets), why you keep it (e.g., customer support, marketing consent, contractual history), and how long you keep it. In HubSpot, map this to Lifecycle stage and key date properties (e.g., “Last marketing engagement date”, “Last sales activity date”, “Contract end date”). Create a custom date property like Retention review date so every record has a single field you can filter and automate against.

Next, build active lists to segment records by retention status: “Due for review in 30 days”, “Past retention review date”, “No engagement for 24 months”, and “Former customers post-contract”. Use AND/OR logic carefully so lists reflect your policy (for example, exclude contacts with open tickets or ongoing deals).

Then use workflows to operationalise the process. Typical steps: set or update the Retention review date when lifecycle stage changes; notify an owner for a manual check; create a task to confirm lawful basis and any ongoing need; and, where appropriate, trigger a suppression action (e.g., set a “Do not market” flag) before deletion. Keep an internal “Retention decision” property (retain/delete/anonymise) to create an audit trail without storing unnecessary personal data.

For deletion, prefer controlled, list-driven deletes and document who approved them. If you need a copy for internal record-keeping, use exports with least-privilege access, export only required fields, and store files in a restricted location with a defined deletion date.

How to implement retention in Salesforce: field history, reports, automation, archiving and deletion

Start by translating your UK retention policy into clear Salesforce rules: which objects (Leads, Contacts, Cases), which lawful basis/operational need, and the retention trigger (e.g., “case closed date”, “last activity”, “contract end”). Capture the trigger in a dedicated date field so it can be reported on and automated consistently.

Field History Tracking: enable it on key objects to evidence changes to retention-related fields (status, consent preference, close date). Track only what you need to avoid unnecessary personal data duplication. Where you need longer audit trails than standard history provides, consider a custom “Retention Log” object populated by automation.

Reports & dashboards: build a “Records due for review” report using your trigger date plus a calculated “review due” field. Add filters for record owner, business unit, and data category. Schedule report emails to data stewards and team leads to support periodic reviews.

Automation: use Flow to set retention dates on creation/closure, and to move records through a simple lifecycle (Active → Review → Archive → Delete). Apply guardrails: pause deletion if there’s an open Case, active Opportunity, or legal hold flag. Log actions to a custom object for accountability.

Archiving: for data you must keep but don’t need day-to-day, export to a controlled archive (encrypted storage with access logging) and delete from Salesforce, or use an archiving tool that preserves relationships and search needs.

Deletion: use scheduled jobs to soft-delete first, then purge after a short recovery window. Validate dependencies (attachments, emails, related records) and document exceptions.

How to implement retention in Pipedrive: filters, automations, GDPR tools and data cleanup

Start by mapping a simple retention schedule to Pipedrive fields (for example: “Last activity date”, “Deal won/lost date”, “Lead created”, and “Person updated”). Create a custom single-option field like Retention status (Active, Dormant, Due for review, Delete) so you can track decisions consistently.

1) Use filters to find records due for review. In People and Organizations, build filters such as: Last activity > 24 months ago; no open deals; no upcoming activities; marketing consent = no/unknown. Save these as shared filters (e.g., “Dormant – review”) so the team works from the same lists.

2) Add automations for reminders and tagging. Use Workflow Automation to set Retention status to “Due for review” when a deal is marked Lost and no activity occurs for X days, or when a person has no activity for a set period. Route a task to a data owner (e.g., “Check lawful basis / keep or delete”) rather than deleting automatically.

3) Use GDPR tools for requests and deletion. In Pipedrive’s GDPR features, record consent where relevant, and use built-in export/anonymisation/deletion tools to handle data subject requests. Keep an internal note of the action taken and date, without storing unnecessary personal data.

4) Clean up safely. Before deleting, merge duplicates, detach irrelevant links, and check email sync/attachments. Prefer anonymising where you need to retain minimal audit context. Schedule a monthly “retention review” using saved filters, and document the rules in your UK retention policy so actions are repeatable.