Data Retention and deletion Policy

How Hampden Consultancy Group handles your data responsibly

Effective Date: 2 June 26

Data Protection Officer: Tom Billingham

Last updated: 2 June 2026

Next review: 1 June 2027

Hampden Consultancy Group (HCG) keeps personal data only for as long as it is needed, and deletes it securely once it is not. This policy sets out our approach to retaining and disposing of personal data in line with the UK GDPR, in particular the storage limitation principle in Article 5(1)(e).

Keep only what we need, only for as long as we need it. Holding personal data beyond its purpose creates risk without benefit. When a retention period ends, the data is securely deleted unless the law requires us to keep it for longer.

Purpose and scope

This policy applies to everyone who works for or on behalf of HCG, including employees, contractors and associates. It covers all personal data that HCG handles, whether we hold it as a data controller for our own business or as a data processor on behalf of a client.

Our retention principles

  • Collect only what we need for a clear and specific purpose.

  • Keep it for a defined period set out in the retention schedule below, based on the purpose and any legal duty.

  • Review regularly so that inactive or outdated records are identified and removed.

  • Delete securely from live systems, backups and devices when the period ends.

Retention schedule

HCG applies the following retention periods, based on the type of data and the business need. Periods run from the point the data is collected or last used, as appropriate.

Data type - Contact form submissions

What it includes - Names, email addresses and message content

Retention period - 2 years

Why we keep it - To respond to and follow up on enquiries

Data type - Marketing consent records

What it includes - Email opt-ins and contact preferences

Retention period - Until consent is withdrawn, or 2 years

Why we keep it - To honour your choices and evidence consent

Data type - Web analytics

What it includes - Behavioural data and IP addresses

Retention period - 26 months

Why we keep it - To understand and improve how the site is used (with consent)

Data type - Enquiry records

What it includes - Emails and form interactions

Retention period - 18 months

Why we keep it - To manage ongoing and repeat enquiries

Data type - Technical logs

What it includes - Access logs and system events

Retention period - 12 months

Why we keep it - Security, troubleshooting and audit

Data type - Backups

What it includes - Website and database backups

Retention period - 30 days (rolling)

Why we keep it - Disaster recovery and business continuity

How we delete data

HCG makes sure personal data is securely and permanently removed when it is no longer required, using a combination of:

  • Manual review — regular checks to identify and remove inactive or outdated records.

  • Automated deletion — where systems support it, data is configured to delete automatically in line with the schedule.

  • Secure disposal — data is permanently erased from live systems, backups and devices using methods that prevent recovery.

Your right to erasure

Individuals have the right to ask us to delete their personal data. Requests can be made by email to info@hampdencg.com. HCG will acknowledge a request within 3 working days and complete a valid request within 30 calendar days, in line with the UK GDPR.

The right is not absolute. Where we are required to keep certain data to meet a legal obligation, or to establish, exercise or defend legal claims, we will explain this and retain only what is necessary for that purpose.

When HCG acts as a data processor

Where HCG processes personal data on behalf of a client (for example through our DPO as a Service or other engagements), the client is the data controller and sets the retention requirements. In that situation we retain and delete the data in line with the client's instructions and the relevant contract or data processing agreement. At the end of an engagement we return or securely delete the personal data as the client directs, and confirm once this is done.

Roles and responsibilities

Data Protection Officer

Owns this policy and the retention schedule, oversees reviews, and decides on erasure requests. Single point of contact for retention and deletion questions.

IT support

Carries out and evidences deletion across live systems, backups and devices, and configures automated deletion where systems allow.

All staff

Follow the schedule, avoid keeping personal data longer than needed, and route any erasure request to the Data Protection Officer promptly.

Review

This policy and the retention schedule are reviewed at least once a year, and whenever we adopt a new tool that stores personal data or our legal obligations change, to ensure they remain accurate and effective.

FAQs

What data do you keep?

We retain only client information necessary for our services.

How long is data stored?

Data is kept only as long as needed for consultancy purposes.

Can I request data deletion?

Yes, clients can request deletion anytime, and we act promptly.

We use secure methods to keep your data safe.

How is data protected?
Who can access my data?

Only authorized Hampden Consultancy staff access your data.

Hampden Consultancy Group
Our Policies
Contact Info
info@hampdencg.com

© 2026. HCG Copyright. All rights reserved.

Privacy Policy
Cookies Policy
Data Breach Response Policy
Data Retention & Deletion Policy
Accessibility Statement
Terms of Use