The Information Commissioner’s Office has published some useful guidance on the destruction of personal data. It is a key requirement of the data protection legislation that personal data should be kept for no longer than necessary for the purposes for which it is processed.
You should be aware too that data subjects have the right to request erasure of their data in certain circumstances, for example if they object to the use of their data for direct marketing purposes, and you should have procedures in place for dealing with such requests.
Consider implementing a data retention policy with recommended retention periods and destruction methods for particular categories of personal data and guidance on how to deal with third parties who process data on your behalf.
Data protection laws don’t only cover creating and sharing personal data – it also must be destroyed safely and securely when it’s no longer needed.