The GDPR 7-Year Cliff is Here.
Nick Pollard
Managing Director, EMEA
Spoiler: Most companies aren't ready to press delete.
A few months ago, we were speaking to a Government Agency about their data estate. "How big is it?" we asked.
There was a pause. Some nervous shuffling. Then:
Nine petabytes. That’s roughly 4.5 trillion pages of documents. Imagine printing all of that, stacking it up, and realising you have no idea what’s in there, whether you need it, or how much of it should have been deleted years ago.
This is not an isolated case. Most large organisations have no real grasp of their total data footprint. And now, with GDPR reaching its 7-year mark in May 2025, that’s about to become a serious problem.
The 7-Year Data Problem
If your company operates on a 7-year data retention policy (common for financial and tax records), then from June 2025, you’ll officially have vast amounts of outdated, unnecessary, and potentially non-compliant data on your hands.
For most organisations, that means:
- Corporate Data: Employee records, emails, contracts, HR files, performance reviews, Slack messages, old projects.
- Public Sector Data: Tax records, legal documents, benefits applications, healthcare records.
- Financial Data: Customer transactions, KYC records, regulatory filings.
- And… Random Junk: Old backups, duplicates, spreadsheets no one updated since 2016, orphaned files from employees who left years ago.
You get the picture. And if someone (an ex-employee, a customer, a regulator) submits a Subject Access Request (SAR) asking for all the data you have on them, they could theoretically ask for 10 years’ worth of information.
Your response? "We only keep data for 7 years."
Sounds great in theory but do you actually have a way of proving that?
The Problem: Nobody is Ready for This
The real challenge is that even if companies think they’ve got a handle on retention, almost none of them have a system to continuously track and remove aging data. And when you actually start looking, things get messy:
- Data Silos Everywhere – Cloud storage, legacy databases, SharePoint sites, email servers, file shares, backups. No single view of where all the data actually sits.
- Orphaned Data – Documents belonging to employees who left years ago. No owner, no oversight, still there.
- Dark Data – Data that’s stored but never accessed. Often forgotten, but still liability waiting to happen.
- Exponential Growth – Large organisations create terabytes of new data every single day. That’s billions of new documents annually.
Now imagine trying to run a search across all of that to find what’s hit the 7-year mark. Most organisations don’t have the infrastructure, tools, or time to deal with this at scale. So they don’t. They leave it. They hope no one asks. Or they just buy more storage.
The Opportunity (Before It Becomes a Problem)
For those who get ahead of this, it’s not just a compliance exercise—it’s a chance to clean house:
- Regain control over vast, unstructured data estates.
- Reduce risk by identifying personal data that no longer needs to be stored.
- Save serious money on storage, backup, and hosting costs.
- Make compliance audits easier by only keeping what’s necessary.
The IT Team Litmus Test
If you really want to know where your company stands, ask your IT team one simple question:
"If we had to find and remove everything over seven years old tomorrow, how would we do it?"
If the answer is "We wouldn’t know where to start,"—it’s probably time to start looking.
Explore Retention SolutionsNick Pollard is Managing Director (EMEA) for Harmony House Technology. He is a seasoned leader with more than 20 years of experience working in real-time investigation, legal and compliance workflows across highly regulated environments.
Connect