The Information Commissioner’s Office has published some useful guidance on the destruction of personal data. It is a key requirement of the data protection legislation that personal data should be kept for no longer than necessary for the purposes for which it is processed.
Businesses may go to great lengths to produce a carefully-worded privacy policy and appropriate tick boxes on data entry screens but then fail to audit and destroy obsolete data.
You should be aware too that data subjects have the right to request erasure of their data in certain circumstances, for example if they object to the use of their data for direct marketing purposes, and you should have procedures in place for dealing with such requests.
Consider implementing a data retention policy with recommended retention periods and destruction methods for particular categories of personal data and guidance on how to deal with third parties who process data on your behalf.
Data protection laws don’t only cover creating and sharing personal data – it also must be destroyed safely and securely when it’s no longer needed.
https://ico.org.uk/for-organisations/sme-web-hub/whats-new/blogs/practical-methods-for-destroying-documents-that-are-no-longer-needed/