How Long Must Self-Employed People Keep Records in the UK?

If you’re running a small business, keeping good records isn’t just a nice‑to‑have - it’s a legal requirement and your best defence if HMRC ever asks questions.

But exactly how long do self‑employed people need to keep records? And what if you’re trading through a limited company, VAT‑registered, hiring staff, or holding customer data under GDPR?

In this guide, we’ll break down the record‑keeping timeframes under UK law, explain where longer retention makes sense, and share practical steps so you’re protected from day one.

What Counts As “Records” For Self‑Employed And Small Companies?

“Records” cover anything that proves your business income, expenses, assets, liabilities and compliance. Depending on how you operate, this typically includes:

• Sales records (till reports, order confirmations, bank credits, marketplace payouts, card receipts)
• Purchases and expenses (supplier invoices, receipts, mileage logs, subsistence, home‑office apportionments)
• Bank statements and loan or finance agreements
• Cash books and petty cash records
• Asset records (purchases, disposals, depreciation schedules)
• Payroll, pension and contractor payment records (including CIS where applicable)
• VAT records (returns, digital links under MTD, import/export documents, VAT invoices)
• Company accounting records (ledgers, journals, trial balances, year‑end files)
• Contracts and legal documents (customer/supplier agreements, leases, guarantees, deeds)
• Insurance policies and claims correspondence
• Policies and procedures (for example, a Privacy Policy if you collect personal data)

For invoicing, make sure your documents include the legally required details - this helps with compliance and speeds up payments. If you’re not sure what to include, check the essentials in UK invoice requirements.

How Long Do Self‑Employed Need To Keep Records?

Here are the core UK retention rules small business owners ask us about most often. The timelines differ slightly depending on your registration and the type of record.

Sole Traders And Partnerships (Self‑Assessment)

If you file a Self Assessment tax return (sole trader or partnership), you must keep your business records for at least 5 years after the 31 January submission deadline of the relevant tax year.

Example: for the 2023/24 tax year (return due by 31 January 2025), keep records until at least 31 January 2030.

This minimum exists so HMRC can review your return if needed. If you file late or there’s an enquiry, you’ll need records for longer.

Limited Companies (Corporation Tax And Companies Act)

Private limited companies must keep their accounting records for at least 6 years from the end of the last company financial year they relate to. In practice, companies often keep many core records for 6 years as a baseline (and certain records longer - see “Should You Keep Records Longer?” below).

Companies must also maintain statutory registers (for example, register of members and share certificates). If you’re tightening up your company secretarial processes, it’s worth reviewing what to keep under share certificates and member registers.

VAT‑Registered Businesses

VAT records must be kept for at least 6 years. This includes VAT invoices, credit notes, import/export evidence, and the digital records and “digital links” required under Making Tax Digital (MTD). Some businesses keep certain VAT and customs records for up to 10 years where international trade or special schemes apply.

While we’re talking tax, keeping up with VAT rules and rates can save headaches - here’s a refresher on how much VAT is in the UK and when the rates apply.

Payroll, Pensions And CIS

• PAYE and payroll records are generally kept for 3 years from the end of the tax year they relate to (many employers keep 6 years to mirror the general limitation period).
• Auto‑enrolment pension records are generally kept for at least 6 years (some items like opt‑out notices 4 years).
• CIS (Construction Industry Scheme) records must be kept for at least 3 years.

If you’ve had staff leave, be mindful that employment and HR records also sit under GDPR and wider limitation periods. For practical retention guidance, see how long to keep ex‑employee records.

Customer Contracts, Supplier Agreements And Other Legal Documents

Tax rules aren’t the only consideration. Under the Limitation Act 1980, claims under “simple contracts” generally have a 6‑year limit, and claims under deeds can run for up to 12 years. It’s standard practice to keep commercial contracts and related correspondence for at least 6 years after the contract ends - and 12 years for deeds and guarantees.

If HMRC Enquires Or You File Late

HMRC can look back longer than the basic minimums in some situations. As a rough guide:

• Up to 4 years for most corrections
• Up to 6 years for “careless” errors
• Up to 20 years for deliberate behaviour

So while the statutory minimums apply, many businesses adopt a cautious retention schedule (see below) to reduce risk.

Do GDPR And Privacy Laws Affect How Long You Keep Records?

Yes. If your records include personal data (which they often do - think customer details, emails, employee information), the UK GDPR and Data Protection Act 2018 require you to keep personal data “no longer than necessary” for the purposes you collected it.

In practice, that means:

• Define a retention schedule that sets specific periods for each category of personal data.
• Delete or anonymise data once you no longer need it for your original purpose or legal obligations.
• Be ready to respond to data subject rights (access, erasure, restriction) within legal timeframes.

For a step‑by‑step view of typical timelines and how to document them, see how long you should keep personal data. It’s also useful to have a clear Privacy Policy explaining your collection, use and retention - this sets expectations and supports compliance.

You’ll also need a reliable process for responding to requests about personal data. If you process Subject Access Requests, it’s worth tightening your wording and workflow with a solid SAR template (and keeping an eye on the 1‑month response deadline).

Finally, remember that GDPR doesn’t trump tax law. If HMRC requires you to keep certain records for 5 or 6 years, you should retain the minimum legally required - but restrict access, minimise the dataset and delete once you can. If you’re unsure whether you can delete something, the practical guide to GDPR data deletion helps you weigh legal obligations against data minimisation.

Should You Keep Records Longer Than The Minimum?

Often, yes. While you shouldn’t hoard personal data without a purpose, certain business records are worth keeping for longer, either because the law allows claims many years later or because they help you defend your position if something goes wrong.

When 6 Years Makes Sense

As a rule of thumb, 6 years is a sensible baseline for many commercial documents, aligning with the limitation period for most contract claims. Consider keeping for 6 years after the end of the relevant relationship or event:

• Customer and supplier contracts and related correspondence (including variations and renewals)
• Key business communications about pricing, deliverables or disputes
• Insurance policies and correspondence (claims can be notified years later)
• Leases and licences (plus dilapidations and exit documents)
• Company accounting records, Board papers and approvals related to major transactions

When 12 Years Is Safer

If a document is executed as a deed (for example, certain property documents, guarantees, indemnities), keep it for at least 12 years after it ends. Claims under deeds can run for longer, and you don’t want to be caught without the paperwork.

Industry‑Specific Or Risk‑Based Retention

Some sectors or activities justify even longer retention. Examples include health and safety exposure records, product liability documentation, warranties that extend beyond 6 years, or long‑tail professional indemnity cover. If your risk profile is higher or you ship products with extended guarantees, a longer retention policy is a wise investment.

Whatever schedule you choose, document it. The most defensible approach is a written retention policy that balances legal minimums, limitation periods, operational needs and GDPR’s “no longer than necessary” principle.

What Format Is Acceptable? Paper, Digital And MTD Compliance

HMRC accepts digital records, and for VAT‑registered businesses, digital record‑keeping is mandatory under Making Tax Digital. Paper is still acceptable for some records, but digital has clear advantages (searchability, backups, audit trails).

To stay compliant and practical:

• Use accounting software that keeps a clear audit trail of edits and has robust backups.
• Scan receipts and invoices promptly; ensure scans are legible and complete.
• Retain original VAT invoices (digital is fine) and preserve digital links required by MTD.
• Control access - only those who need the records should be able to see them.
• Encrypt devices and cloud storage, and implement two‑factor authentication.

If you issue or chase invoices, make sure the documents are compliant and your chasing process aligns with the law - the overview of UK invoice law is a handy reference.

A Practical Retention Schedule For Small Businesses

Every business is different, but the framework below works well for many SMEs. Tailor it to your structure, tax registrations and risk profile.

Core Finance And Tax

• Sole traders/partnerships: 5 years after the 31 January filing deadline for the relevant tax year (keep longer if late or under enquiry).
• Companies: accounting records 6 years from the end of the last financial year they relate to.
• VAT: at least 6 years (longer for certain international trade/schemes).
• PAYE/CIS: at least 3 years (many keep 6 to align with limitation periods).

Commercial And Legal

• Contracts under hand: 6 years after contract end.
• Deeds, guarantees and indemnities: 12 years after document end.
• Leases and property licences: 6 years after expiry (12 if executed as a deed).
• Insurance policies and claims: 6 years after policy end (longer if claims are ongoing).

People And GDPR

• Employee records: follow statutory minimums and GDPR; most core HR files are kept up to 6 years after employment ends (check specific rules for payroll, pensions, H&S). For practical guidance, see keeping ex‑employee records.
• Customer and marketing data: define “no longer than necessary” periods in your retention schedule and Privacy Policy. Remove or anonymise when no longer needed.
• Subject Access Requests: maintain request logs, response letters and decisions for an appropriate period to evidence compliance (for templates, see SAR templates).

Company Secretarial

• Statutory registers (members, directors, PSCs): retain for the life of the company and as otherwise required.
• Share certificates and transfer forms: keep permanently in practice; they prove ownership - the guidance on share certificates and member registers explains what to file and keep.

When You Close Or Sell The Business

If you stop trading, you still need to keep your records for the legally required periods (and longer where claims or warranties could arise). There are specific steps for handing over or safeguarding data when you exit - the checklist for record‑keeping after closing a business is a useful place to start.

Common Questions About Record‑Keeping Timeframes

Can I Just Keep Everything Forever To Be Safe?

Not when it includes personal data. GDPR requires you to delete or anonymise personal information when you no longer need it. Blanket “keep forever” approaches breach data minimisation principles. The right approach is a documented retention schedule, with justified retention periods and routine deletion cycles.

What Happens If I Don’t Have The Records HMRC Asks For?

You could face estimated assessments, penalties and interest. More importantly, you lose the ability to prove a deductible expense, claim reliefs or show that VAT was correctly accounted for. Good record‑keeping is cheaper than an enquiry.

Do Scanned Copies Count?

Generally, yes - HMRC accepts scanned and digital records provided they’re accurate, readable and capture all required information. For VAT, ensure your digital records and “digital links” meet MTD requirements. Keep backups, and ensure your software logs edits.

We Use Lots Of Messaging And Cloud Tools - Do Those Chats Count As Records?

If business decisions, pricing or changes to deliverables are agreed in writing (even by email or chats), they can become evidence in a dispute or enquiry. Decide what needs capturing in your official system (for example, confirm variations by issuing a formal change order) and apply your retention policy consistently.

What If A Customer Asks Me To Delete Their Data But I Need It For Tax?

You can refuse a deletion request where you need the data to comply with a legal obligation, such as HMRC retention rules. Keep only the minimum you need, restrict access, and delete as soon as the legal period ends. The principles in GDPR data deletion explain how to handle these conflicts.

How To Put A Simple Retention Policy In Place

A straightforward retention policy doesn’t need to be complicated. Aim for clarity and consistency.

1. Map Your Records. List the categories you hold: finance/tax, VAT, payroll, HR, contracts, property, insurance, marketing and customer data, company secretarial, and any industry‑specific records.
2. Set Timeframes. Apply the legal minimums (5 years post‑deadline for sole traders; 6 years for companies and VAT). Layer in 6‑year limitation periods for contracts and 12 years for deeds/guarantees. For personal data, define purpose‑based retention that is “no longer than necessary.”
3. Define Formats. Confirm whether you’ll keep digital, paper or both. Ensure scanned copies are legible, indexed and backed up.
4. Create A Deletion Routine. Schedule monthly or quarterly reviews to archive and delete expired records. Anonymise where you still need high‑level analytics but not identifiable data.
5. Assign Owners. Make someone responsible for finance records, someone for HR, someone for sales/marketing data, etc. Accountability prevents drift.
6. Document And Train. Write it down, keep it accessible, and train your team. Your policy should align with your Privacy Policy and internal procedures.
7. Be Ready For Requests. Keep a playbook for audits, HMRC enquiries, and data rights requests. Templates like a robust Subject Access Request template save time when the clock is ticking.

If anything here feels overwhelming, don’t stress - a short call with a legal expert can help you calibrate the right timeframes and documents for your business model.

Key Takeaways

• Sole traders and partnerships must keep business records for at least 5 years after the Self Assessment filing deadline for the relevant tax year.
• Limited companies should keep accounting records for at least 6 years from the end of the last financial year they relate to; VAT records must also be kept for at least 6 years.
• Commercial documents are often worth keeping for 6 years (simple contracts) or 12 years (deeds/guarantees) to cover limitation periods.
• GDPR requires you to keep personal data no longer than necessary - define a written retention schedule and align it with your Privacy Policy.
• Digital records are acceptable (and mandatory for VAT under MTD) if they’re accurate, readable and backed up, with clear audit trails.
• If you close the business, you still need to retain records for the required periods; follow the steps in record‑keeping after closing a business.
• Putting a simple retention policy in place now will protect you in audits, disputes and data‑rights requests - and save time later.

If you’d like help setting a compliant retention schedule or tightening your business legals, reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.