What happens when companies finally reach the 7-year GDPR data retention limit? Spoiler: Most aren’t ready.
A few months ago, we were speaking to a Government Agency about their data estate.
"How big is it?" we asked.
There was a pause. Some nervous shuffling. Then:
"Hmmm. We don’t really know... we think around 9 petabytes with around 40+ Applications with access to it? Maybe more. But we have at least 12 more data silos, we don’t actually know the number."
Nine petabytes. That’s roughly 4.5 trillion pages of documents. Imagine printing all of that, stacking it up, and realising you have no idea what’s in there, whether you need it, or how much of it should have been deleted years ago.
This is not an isolated case. Most large organisations have no real grasp of their total data footprint. And now, with GDPR reaching its 7-year mark in May 2025, that’s about to become a serious problem.
The 7-Year Data Problem
If your company operates on a 7-year data retention policy, then from June 2025, you’ll officially have vast amounts of outdated, unnecessary, and potentially non-compliant data on your hands. For most organisations, that means:
- Corporate Data: Employee records, emails, contracts, HR files, performance reviews, Slack messages, old projects.
- Public Sector Data: Tax records, legal documents, benefits applications, healthcare records.
- Financial Data: Customer transactions, KYC records, regulatory filings.
- And… Random Junk: Old backups, duplicates, spreadsheets no one updated since 2016, orphaned files from employees who left years ago.
You get the picture. And if someone (an ex-employee, a customer, a regulator) submits a Subject Access Request (SAR) asking for all the data you have on them, they could theoretically ask for 10 years’ worth of information.
Your response?
"We only keep data for 7 years."
Sounds great in theory but do you actually have a way of proving that?
The Problem: Nobody is Ready for This
The real challenge. Even if companies think they’ve got a handle on retention almost most of them never have a system to continuously track and remove aging data. And when you actually start looking, things get messy:
- Data Silos Everywhere – Cloud storage, legacy databases, SharePoint sites, email servers, file shares, backups. No single view of where all the data actually sits.
- Orphaned Data – Documents belonging to employees who left years ago. No owner, no oversight, still there.
- Dark Data – Data that’s stored but never accessed. Often forgotten, but still liability waiting to happen.
- Exponential Growth – Large organisations create terabytes of new data every single day. That’s billions of new documents annually.
Now imagine trying to run a search across all of that to find what’s hit the 7-year mark. Most organisations don’t have the infrastructure, tools, or time to deal with this at scale. So they don’t. They leave it. They hope no one asks. Or they just buy more storage.
The Petabyte Problem No One Talks About
IT teams know this issue is spiraling. But here’s the real issue—many organisations don’t even know how big their data estate actually is. Think back to that government institution with 9PB+ of data spread across silos (with a further 12 more!) . How much of that do they still need? How much of it could be removed? No one really knows.
And if you don’t know what you have, how do you know what to delete?
That’s the real challenge. GDPR doesn’t just require that you keep data for a set period. It also states that when data is no longer necessary, it must be deleted. This means businesses need a rolling process to continuously identify and remove aging data—not just a one-time cleanup.
Most companies? They don’t have one.
The Opportunity (Before It Becomes a Problem)
For those who get ahead of this, it’s not just a compliance exercise—it’s a chance to clean house:
- Regain control over vast, unstructured data estates.
- Reduce risk by identifying personal data that no longer needs to be stored.
- Save serious money on storage, backup, and hosting costs.
- Make compliance audits and Subject Access Requests (SARs) easier by only keeping what’s necessary.
The reality is; this isn’t a problem that will fix itself. If you don’t tackle this now, you’ll be forced to do it later—probably in a high-pressure, high-risk situation, when a regulator, a lawsuit, or a massive data breach forces you to scramble.
Far better to deal with it before it becomes a headline.
Final Thought: The IT Team Litmus Test
If you really want to know where your company stands, ask your IT team one simple question:
"If we had to find and remove everything over seven years old tomorrow, how would we do it?"
If the answer is "We wouldn’t know where to start,"—it’s probably time to start looking.
Nick Pollard leads EMEA consulting for One Discovery. He is a seasoned leader with more than 20 years of experience working in real-time investigation, legal and compliance workflows across highly regulated environments like banking, energy and healthcare as well as national security organizations. You can contact at nick.pollard AT onediscovery.com
Nick Pollard : Mar 23, 2025 1:45:28 PM
