Document Retention Policy In the UK: Why You Need One And How To Create It

If you run a small business, you’re probably juggling customer work, invoices, suppliers, and (maybe) your first hires. In the middle of all that, it’s easy to let documents pile up - contracts in email threads, HR files in a folder, old customer spreadsheets on someone’s laptop.

That’s where a solid document retention policy comes in. It’s one of those “behind the scenes” foundations that can save you serious time, cost, and legal headaches later.

In this guide, we’ll walk you through what a document retention policy is, why it matters for UK businesses, and how to create a practical policy that fits the way you actually work.

What Is A Document Retention Policy (And What Does It Cover)?

A document retention policy is a written set of rules explaining:

• what documents and records your business keeps (paper and digital);
• how long you keep them for;
• where they’re stored (and who can access them);
• how they’re securely destroyed when they’re no longer needed; and
• what happens if there’s a dispute, investigation, or legal claim (so you don’t delete something you should keep).

When we say “documents”, this isn’t just formal contracts. For many small businesses, your records can include:

• customer details and communications (emails, forms, chat logs);
• marketing lists and CRM data;
• invoices, receipts, expense claims, bank statements, and payroll records;
• employee files (contracts, right-to-work checks, disciplinaries, sick notes, training records);
• supplier contracts and purchase orders;
• complaints, refund requests, and customer service records;
• website enquiries, cookies logs, and consent records; and
• company administration documents (board/shareholder decisions, registers, key contracts).

The key point is that your retention policy shouldn’t be a generic “keep everything for 6 years” rule. Different record types have different legal, operational, and risk considerations.

Why Your Business Needs A Retention Policy (Even If You’re Small)

It’s tempting to think a retention policy is only for big corporates with compliance teams. In reality, smaller businesses often face more risk when records are disorganised - because you don’t have time to rebuild a paper trail when something goes wrong.

1. It Helps You Comply With Data Protection Laws

If you store personal data (and most businesses do), you’ll need to comply with the UK GDPR and the Data Protection Act 2018.

One of the biggest practical requirements is not keeping personal data for longer than you need it. This is sometimes referred to as the “storage limitation” principle.

A clear retention policy helps you show you’ve thought about:

• what personal data you hold;
• why you hold it;
• how long you truly need it for; and
• what happens when you don’t need it anymore (deletion, anonymisation, secure destruction).

This is especially important if you ever receive a complaint or face a regulator query - a documented retention policy is part of demonstrating good governance, not just good intentions.

Retention also ties into how you handle access and deletion requests. If someone submits a request for their data, your response often depends on knowing what you hold and where it lives. This is why businesses often pair retention rules with processes for Subject Access Requests.

2. It Reduces Risk In Disputes (Because You Can Prove What Happened)

Imagine a customer complains about what was agreed, or a supplier dispute escalates. If you’ve kept the right records for the right amount of time, you’re in a much better position to:

• show what was promised (quotes, emails, signed agreements);
• show what was delivered (delivery confirmations, completion notes);
• show what was paid (invoices and payment records); and
• respond quickly, confidently, and consistently.

On the flip side, keeping disorganised documents “forever” isn’t a good solution either. If you hold far more data than you need, you increase the amount that could be disclosed in a dispute, and you increase your data security exposure.

3. It Keeps You Ready For Tax And Accounting Requirements

Most businesses need to keep financial and accounting records for a set period (often years) for HMRC and audit purposes. While the exact period depends on your business type and the specific record, a retention policy helps you organise this properly.

As a general rule, HMRC guidance often expects businesses to keep records for around 6 years (for example, to support tax returns), and VAT-registered businesses must typically keep VAT records for at least 6 years (or longer in some cases). However, the right period can vary depending on what you’re recording and why - so it’s worth confirming what applies to your situation with your accountant or tax adviser.

If you issue invoices, make sure your systems can consistently store and retrieve them. Your retention policy should align with how you create and keep invoices in the first place, including the information you must record under UK rules (your invoicing process should also align with invoice requirements).

Note: this section is general information only and isn’t tax or accounting advice.

4. It Improves Security And Reduces Data Breach Impact

There’s a simple security principle: the less you keep, the less you can lose.

If your business suffers a phishing incident or a lost device, the impact is usually worse where:

• old customer lists are still stored on personal devices;
• ex-employee folders are still accessible;
• sensitive documents are kept “just in case” with no end date; or
• there’s no consistent deletion process.

A retention policy forces you to set a routine for archiving, restricting access, and securely deleting records. That’s good data protection practice and good business risk management.

What UK Laws And Rules Influence Retention Periods?

There isn’t one single UK law that lists exact retention periods for every document type. Instead, your retention policy is usually built by combining:

• legal obligations (tax, employment, regulatory rules);
• limitation periods (time limits for bringing certain legal claims);
• data protection principles (don’t keep personal data longer than necessary); and
• practical business needs (warranties, ongoing customer relationships, repeat work, safeguarding).

UK GDPR / Data Protection Act 2018

Under UK GDPR principles, you should only keep personal data as long as you need it for the purpose you collected it for, and then securely delete or anonymise it.

In practice, that means your retention policy should include a clear statement like:

• the categories of personal data you hold;
• the purpose for holding it; and
• the retention period (or how you decide it).

If you’re unsure how to translate GDPR into real-world retention periods, it can help to start with a simple retention schedule and refine it over time. A practical reference point is building around sensible GDPR retention thinking (for example, your approach should align with personal data retention best practice).

Tax And Company Recordkeeping

HMRC requirements often mean you’ll need to keep certain records for a number of years (for example, records relating to income, expenses, and VAT where relevant). Your accountant or tax adviser can help confirm what applies to your setup.

If you’re a limited company, you may also have Companies House and company law obligations around keeping certain corporate records (and, in some cases, making them available for inspection). Some company records (like registers) may need to be kept for as long as the company exists, and some documents may need to be kept for set minimum periods - so it’s worth checking what applies to your business structure.

Employment Records

If you employ staff, you’ll likely hold sensitive information (including special category data such as health information). A retention policy is crucial here - both to keep what you may need for legal reasons, and to avoid holding it longer than necessary.

As a starting point, many employers create retention rules covering:

• recruitment records (CVs, interview notes);
• right-to-work checks;
• payroll and pension records;
• performance management and disciplinary records;
• absence and sickness records; and
• training and qualification records.

Once someone leaves, it’s common to keep certain information for a period, but you still need a plan for when it will be deleted. Your policy should reflect the way you manage ex-employee records.

Legal Claims And Limitation Periods

Even if you aren’t legally required to keep a document for a specific time, you might decide to retain it because it could be needed to defend or bring a claim.

This is where a tailored approach matters. A builder, for example, may want to retain records longer due to defect claims. A digital agency might retain project files and communications for a certain period to manage scope disputes.

If you’re setting retention periods purely based on guesswork, it’s worth getting advice - because the “right” retention period often depends on the work you do, the customers you serve, and the risks you regularly face.

How To Create A Retention Policy For Your Business (Step-By-Step)

A good retention policy shouldn’t just look good on paper. It needs to be workable day-to-day, otherwise it will be ignored the minute things get busy.

Here’s a practical way to build one.

Step 1: Map What You Collect And Where It Lives

Start by listing the categories of documents you hold and the systems you use.

• Email (Google Workspace / Microsoft 365)
• Accounting software
• CRM and marketing tools
• HR systems (or shared drives)
• Cloud storage and local devices
• Paper records (filing cabinets, offsite storage)

This step is often where businesses realise they’ve got data spread across too many places, with unclear ownership.

Step 2: Create A Retention Schedule (Your “Keep For X Years” Table)

This is the heart of your retention policy: a schedule that sets out different record types and their retention periods.

Your schedule might look like:

• Financial records (invoices, receipts, bank statements): keep for X years
• Customer contracts and project files: keep for X years after completion/termination
• Marketing lists: keep until consent expires/withdrawn, then delete
• Website enquiries: keep for X months unless converted to a customer
• Employee records: keep for X years after employment ends

Be careful: retention periods should reflect both legal obligations and the purpose you collected the data for. Under UK GDPR, you should be able to justify the period, not just copy one from another business.

Step 3: Decide Who Owns The Policy Internally

Even in a small business, someone needs to be responsible for making the retention policy real.

That could be:

• you as the founder/director;
• an operations manager;
• an office manager; or
• your finance lead (for financial record categories).

Your policy should also state who can approve exceptions, and who handles urgent issues like legal holds (more on that below).

Step 4: Set Clear Storage, Access, And Security Rules

A retention policy isn’t just about time periods. It should also set minimum standards for:

• where records are stored (e.g. company drive only, not personal emails);
• who can access them (role-based permissions);
• how they’re protected (2FA, password managers, encryption); and
• version control for key documents (contracts, policies, signed variations).

This often overlaps with broader workplace rules around tech and data. If your team uses company systems, it can be worth aligning retention rules with an Acceptable Use Policy so your staff understand where business documents should (and shouldn’t) be saved.

Step 5: Create A Deletion And Destruction Process (And Actually Use It)

This is where many retention policies fall down. A policy that never gets actioned is just a document.

Your policy should say:

• how deletion happens (manual quarterly clean-up, automated rules, or a mix);
• what “secure deletion” means for your systems;
• how paper is destroyed (cross-cut shredding, certified disposal); and
• how you keep a record of destruction for sensitive categories (optional, but often sensible).

Also consider backups. If you delete a file but it’s still stored indefinitely in backups, you may not be meeting the spirit of your retention policy. (This can get technical fast, so it’s worth discussing with your IT provider.)

Step 6: Build In A “Legal Hold” Rule For Disputes

A legal hold is an instruction to pause deletion of certain records because they may be relevant to a dispute, complaint, investigation, or legal proceedings.

Your retention policy should include a simple rule like:

• if a dispute arises (or you reasonably anticipate one), relevant records must not be deleted even if their retention period has expired;
• who decides when a legal hold applies; and
• when the legal hold can be lifted.

This is one of the most important “safety valves” in a retention policy. It helps you avoid accidental deletion at the worst possible time.

Step 7: Review Your Policy Regularly

Your business won’t look the same in 12 months as it does today - new systems, new hires, new service lines, new regulators, bigger contracts.

Set a calendar reminder to review your retention policy at least annually, or sooner if you:

• start employing staff;
• launch a new product or subscription model;
• expand into regulated work; or
• change your core tools (CRM, HR system, accounting platform).

And if you collect personal data through your website, your retention approach should be reflected in your Privacy Policy so customers understand what you do with their information.

Common Retention Policy Mistakes Small Businesses Should Avoid

A retention policy is meant to reduce risk - but if it’s poorly designed, it can create problems of its own.

Keeping Everything “Just In Case”

Holding onto everything forever is rarely a safe strategy. It can:

• increase your GDPR risk (keeping personal data without a clear purpose);
• increase cyber risk (more data exposed if something goes wrong); and
• make it harder to find the documents you actually need.

Copy-Pasting A Template Without Adapting It

Templates can be a useful starting point, but your retention policy should reflect how your business operates and what you actually do with information.

If your team uses WhatsApp to speak to customers, for example, that’s a recordkeeping and retention issue. If you outsource payroll, that changes where data lives and how deletion works.

Not Accounting For Subject Access Requests (SARs)

If you receive a data request, you’ll need to locate personal data across your systems within strict timeframes. If your retention policy doesn’t match your real systems and practices, SAR responses become stressful (and risky).

This is especially relevant for employers managing employee data, where you may need a workable process for SAR responses and redactions.

No Rules For Leavers, Old Devices, Or Shared Accounts

Small businesses often grow quickly, and admin doesn’t always keep up. Your policy should deal with practical realities like:

• what happens to an ex-employee’s emails and files;
• how you handle shared inboxes (e.g. sales@);
• how long devices are kept and how they’re wiped; and
• how customer data is transferred when someone changes roles.

Key Takeaways

• A document retention policy sets out what records you keep, how long you keep them, where they’re stored, and how they’re securely destroyed.
• A clear retention policy helps you comply with UK GDPR and the Data Protection Act 2018 by avoiding keeping personal data longer than necessary.
• Retention isn’t just about compliance - it also helps you prove what happened in disputes, respond to complaints faster, and reduce admin chaos.
• Your policy should include a practical retention schedule and a real-world deletion/destruction process (not just a “nice to have” document).
• Make sure your policy includes a legal hold rule so you don’t delete key documents during disputes or investigations.
• Retention policies work best when they align with your wider business documents and processes (including your Privacy Policy and internal data handling rules).

If you’d like help putting a retention policy in place (or aligning your retention policy with GDPR and your actual business systems), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.