How Long To Keep Business Documents In The UK

If you’re running a small business, you’ll generate a lot of paperwork – invoices, contracts, HR files, safety logs, customer data, and more. The big question is: how long do you have to keep it all in the UK?

The short answer is that different rules apply to different records. Some documents only need to be kept for two years, others for six, and a few should be held for decades. Getting this right protects you against tax audits, employment claims, health and safety investigations, and data protection breaches.

In this guide, we’ll walk through the key UK retention rules (in plain English), show you how to build a simple, compliant retention schedule, and share practical tips for storing and disposing of records safely.

Why Records Retention Matters For Small Businesses

Keeping documents for the right amount of time isn’t just a tidiness exercise. It’s core compliance and risk management.

• Tax and accounting: HMRC can ask to see records going back years, and penalties apply if you can’t produce them.
• Disputes and claims: Contracts and HR records can be critical evidence. If you’ve deleted them too soon, you may struggle to defend a claim.
• Data protection: UK GDPR and the Data Protection Act 2018 require that you don’t keep personal data longer than necessary. Over-retention is a legal risk.
• Operational efficiency: A clear retention schedule stops your systems getting clogged with old files, reducing storage costs and breach exposure.

Set your foundations early – a simple, written retention policy will keep you compliant and save headaches later.

What UK Law Says About How Long To Keep Documents

Below are the core categories most UK small businesses should consider, with typical retention periods and the laws behind them. Where possible, we’ve provided minimum timeframes. Your business may opt to keep some records longer for sound business reasons (for example, to cover the limitation period for contract claims).

1) Financial And Tax Records

General tax and accounting records: Keep for at least 6 years from the end of the accounting period they relate to. This typically covers invoices, receipts, bank statements, ledgers, VAT records and corporation tax workings. HMRC can open enquiries and ask for supporting documentation within this timeframe.

VAT records: Usually 6 years (some schemes require longer). This includes VAT invoices, import/export documents and VAT account calculations.

PAYE and payroll records: Keep for a minimum of 3 years after the end of the tax year they relate to (practically, many businesses align payroll and tax records to 6 years for consistency with other HMRC requirements).

Make sure your invoices contain the legally required information – following UK invoice requirements from day one will make future audits easier.

2) Company And Corporate Records

Statutory company records: Keep registers (members, directors, PSC, charges), minute books and resolutions for the life of the company. Certain historic records should be retained for at least 10 years after they’re superseded or the company is dissolved, and in practice many companies retain them permanently to evidence ownership and decisions.

Accounting records under the Companies Act: Private companies must keep adequate accounting records for at least 3 years, but the tax-driven 6-year period generally prevails in practice.

Board and shareholder decisions: Keep resolutions and minutes with no fixed end-date (retain for the lifetime of the company and, prudently, at least 6–10 years after dissolution where possible).

When you formalise decisions, consider using a clear board resolution process and templates for an ordinary or special resolution, then file and store them in line with your retention policy.

3) Employment Records

Employment files often contain personal and sensitive data, so you need to balance “keep long enough” with “not longer than necessary” under UK GDPR.

• Working Time records (hours, night workers’ assessments): Keep for at least 2 years.
• Statutory Sick Pay (SSP), Statutory Maternity/Paternity/Adoption/Shared Parental Pay: Keep relevant payroll records for at least 3 years after the end of the tax year in which payments were made.
• National Minimum Wage records: Typically keep for 6 years to be safe (the law requires at least 3 years, but HMRC can look back further for underpayments, so many employers standardise on 6).
• Right to Work checks: Keep the copy evidence for the duration of employment and for 2 years after employment ends (Home Office guidance).
• Disciplinary and grievance records: Keep for a reasonable period – often 6 to 12 months after the warning has expired, unless there’s a good reason to retain longer (for example, unresolved litigation).
• General employee records (contracts, training, performance, termination): Keep for 6 years after employment ends (to cover the limitation period for most contractual claims). For potential equal pay claims, consider up to 6 years in England and Wales.

If you’re deciding how long to keep ex-staff files, this practical guide on ex-employee records explains how to align employment law risk and UK GDPR rules.

4) Health And Safety Records

Some H&S records need long retention to cover latent disease claims.

• Accident book and report forms: Keep for at least 3 years (longer for serious incidents and where minors are involved).
• RIDDOR reports: Keep for at least 3 years.
• COSHH (hazardous substances) exposure and health surveillance: Keep for 40 years due to long latency of some conditions.
• Employers’ Liability insurance certificates: Retention isn’t strictly mandated at 40 years anymore, but it’s strongly recommended you keep certificates and related claims records for 40 years to evidence cover if historic disease claims arise.

5) Contracts, Commercial And IP Records

How long to keep contracts is driven by limitation periods for legal claims:

• Simple contracts (most B2B and supplier agreements): Keep for at least 6 years after termination/expiry (Limitation Act – breach of contract claims generally must be brought within 6 years).
• Deeds (e.g. a Deed of Novation or Deed of Settlement): Keep for at least 12 years after termination/expiry (longer limitation period applies).
• Intellectual property registrations and licences: Keep key documents, renewals and evidence of use for the lifetime of the IP and at least 6 years after expiry or assignment.

If you use formal deeds, make sure you’re executing contracts and deeds correctly, and store final signed versions with their schedules, annexes and any variations together.

6) Customer, Marketing And Website Data

Under UK GDPR and the Data Protection Act 2018, you must not keep personal data “for longer than necessary.” There isn’t a fixed number of years - you decide the period based on the purpose, document this in your retention schedule, and then stick to it.

• Customer accounts and support tickets: Keep while needed for the contract and any legal claims (frequently up to 6 years after the relationship ends), then delete or anonymise.
• Marketing lists: Keep until consent is withdrawn or it lapses under legitimate interests balancing; regularly cleanse inactive contacts.
• CCTV/workplace monitoring: Retain for the minimum period needed (often 30–90 days), longer only if needed for an investigation.

Building a clear approach to personal data is essential - pair a GDPR-compliant Privacy Policy with a retention schedule, and ensure your processors are bound by a suitable Data Processing Agreement.

For more help deciding the right timeframes, this guide on how long to keep personal data sets out practical GDPR retention principles.

Building A Simple Records Retention Schedule

You don’t need anything fancy to be compliant - a single, easy-to-read schedule will do the job. Here’s a straightforward way to build yours.

Step 1: Map Your Records

List the types of records you hold across the business. Typical categories include:

• Company records (registers, minutes, resolutions)
• Finance and tax (invoices, bank statements, VAT, payroll)
• Contracts (customer, supplier, NDAs, deeds, variations)
• HR (right to work, payroll, performance, training, health data)
• Health and safety (accident book, RIDDOR, COSHH)
• IP (trade mark registrations, licences, assignments)
• Customer support and account files
• Marketing lists and consent records
• IT logs, CCTV, access control

Step 2: Assign A Lawful Retention Period

For each category, apply the longest applicable minimum period from law or regulation (e.g. 6 years for tax). Where GDPR applies to personal data, add your business-justified period and a review date. A few pointers:

• Align finance-related categories to 6 years to satisfy HMRC.
• Use 6 years post-termination for most contracts; 12 years for deeds.
• Use 2–6 years for HR, with longer holds for health records and claims risk; keep right to work for employment plus 2 years.
• Note the 40-year rule of thumb for COSHH surveillance and historic insurance evidence.
• Set short default periods for CCTV/IT logs unless needed for a specific investigation.

Step 3: Decide Storage Location And Format

Document where each record lives (system, share, folder, or physical archive), the responsible owner (e.g. Finance, HR), and whether it’s paper or digital. If you scan paper documents, keep high-quality, legible copies and ensure they would be accepted as evidence if needed. Many HMRC records can be kept electronically provided they’re accurate, complete and readable.

Step 4: Plan Secure Disposal

Set out how you’ll dispose of each record at the end of its lifecycle:

• Paper: cross-cut shredding or certified confidential waste destruction.
• Digital: secure deletion that removes data from active systems and backups per your IT policy.
• Personal data: consider anonymisation if you still want aggregate insights without identifying individuals.

Step 5: Bake It Into Your Processes

Update your onboarding and offboarding checklists, finance month-end routines, contract management and HR workflows so retention happens automatically. Train staff, and review the schedule annually or when laws change.

If you receive a data request, it’s crucial to pause deletion where relevant so you can respond on time. The rules around Subject Access Request deadlines and potential SAR exemptions are strict, so build a simple procedure for triage and response.

Storing, Securing And Disposing Of Documents Lawfully

Good retention depends on good information security. A few practical, GDPR-aligned tips:

• Access control: Restrict HR, payroll and health data to staff who genuinely need it.
• Encryption: Encrypt devices and storage. Use secure portals to share personal or sensitive files.
• Backups: Back up business-critical records, and set retention on backups so deletions propagate after the legitimate hold period.
• Audit trail: Keep a simple log of destruction actions (e.g. certificate from your shredding provider, or an internal deletion record).
• Processor management: If a vendor holds your data, make sure your Data Processing Agreement covers retention, deletion on termination and assistance with data rights requests.

Finally, make sure your external communications (such as your Website Terms and Conditions and Privacy Policy) accurately reflect how long you keep personal data and the rights people have to request deletion.

Common Scenarios And FAQs For SMEs

Can I Keep Everything For Six Years And Call It A Day?

Six years is a sensible default for many business records (tax and most contracts), but it’s not one-size-fits-all. Some records should be kept longer (for example, deeds for 12 years, COSHH surveillance and insurance evidence for 40 years), and some should be kept for shorter periods to comply with UK GDPR (for example, routine CCTV). Build nuance into your schedule rather than relying on a single blanket period.

What About Emails?

Emails are a format, not a category. Apply the same retention logic you would to the underlying content (e.g. a contract negotiation email trail might be kept for 6 years after the contract ends; marketing inquiries for a much shorter period). Use foldering or labels and mailbox policies so emails are archived or deleted automatically once they’re no longer needed.

Is It Okay To Scan And Shred Paper?

Generally yes, provided the scanned copy is a true, legible and complete record, and there’s no law requiring the original paper (rare for most SMEs). Your scanned records should be securely stored, backed up, and retrievable. Keep originals of certain documents where wet-ink is still relevant (for example, some deeds or property registrable documents) – check with a lawyer if in doubt.

How Long Should I Keep Customer Complaints And Refund Records?

Keep them at least as long as your limitation period for contract/consumer disputes (commonly 6 years), and ensure they line up with your obligations under the Consumer Rights Act 2015 (for example, to evidence refunds and repairs). Clear records make resolving issues faster and may limit risk.

We’re Closing The Business - What Do We Keep?

Closing up doesn’t mean you can bin everything immediately. You’ll still need to retain tax, H&S and employee records for the applicable periods. This guide to record-keeping after closing a business sets out what to hold onto, and for how long, even after you’ve ceased trading.

What If We’re Investigated Or In A Dispute?

Pause any scheduled destruction (a “legal hold”) for relevant records. It’s essential not to delete potentially relevant materials once you know (or should know) about a dispute, claim, investigation or subject access request. Resume normal deletion only after the matter ends and you’ve assessed any ongoing retention needs.

Do We Need To Tell People Our Retention Periods?

For personal data, yes - transparency is a GDPR principle. Your Privacy Policy should explain, at least in high level, how long you keep different categories of personal data (or the criteria you use to decide).

What About Supplier Access To Our Data?

If a supplier processes personal data for you (e.g. payroll provider, CRM, marketing tool), you’re responsible for ensuring they only keep it as long as you instruct. That’s one reason a robust Data Processing Agreement matters - it should cover retention, deletion and return of data.

Which Internal Documents Help Us Stay Compliant?

At a minimum, have a written retention schedule and a short policy your team can follow. Pair it with a clear Website Terms and Conditions and GDPR-ready Privacy Policy. If you share personal data with third parties, add a Data Sharing Agreement where appropriate. And when you’re drafting or signing commercial contracts, be mindful of how long you’ll need to retain them for potential claims (6 or 12 years), and store the signed versions in a central, controlled repository.

Key Takeaways

• There’s no single answer to how long to keep documents in the UK - most tax and accounting records are 6 years, working time records are 2 years, and deeds and certain health records require much longer retention.
• For employment files, aim for 6 years after employment ends (with specific shorter or longer periods for right to work, SSP/SMP and health surveillance). Balance legal risk with GDPR’s “no longer than necessary” rule.
• Keep simple contracts for 6 years after expiry and deeds for 12 years. Store all signed contracts, variations and notices together.
• Personal data retention isn’t one-size-fits-all - document your lawful periods and regularly cleanse marketing lists, IT logs and CCTV.
• Create a brief retention schedule covering what you keep, where it’s kept, who owns it, how long you keep it and how you dispose of it securely.
• Bake retention into everyday processes, hold deletion during investigations or SARs, and keep an audit trail of destruction.
• Support your retention regime with core documents like a GDPR-ready Privacy Policy and appropriate Data Processing Agreements with your vendors.

If you’d like help setting up a tailored retention schedule, drafting a Privacy Policy or reviewing your contracts, our team can help. Reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.