Our Recycling Impact Since 2016

Click to see our real-time impact

5.0(138+ reviews)
01935 310616
Portal
Compliance Guide

How Long to Keep Business Records in the UK: A Complete Guide

Cross Cut Shredding
17 February 2026
7 min read

Understanding how long to keep business records in the UK is essential for legal compliance, protecting your organisation from regulatory penalties, and maintaining efficient document management practices. With stricter GDPR enforcement and evolving data protection obligations, businesses across Somerset, Dorset, Devon and Wiltshire must navigate complex retention requirements whilst ensuring confidential waste is disposed of securely.

This comprehensive guide covers UK document retention periods across all business sectors, helping you determine what to keep, what to shred, and when.

Why Document Retention Matters

The UK's regulatory landscape requires businesses to retain specific records for defined periods. Failure to comply can result in:

  • ICO fines for GDPR breaches (which doubled in the first half of 2025 compared to all of 2024)
  • HMRC penalties for inadequate tax records
  • Legal complications when documents needed for disputes are unavailable
  • Increased storage costs from keeping documents longer than necessary
  • Data breach risks — 40% of data breaches involve paper documents

GDPR Article 5 establishes that personal data must not be kept longer than necessary. This means businesses have both a minimum retention obligation (to comply with sector-specific regulations) and a maximum retention obligation (to comply with data protection law).

General Business Records Retention Periods

Most UK businesses must follow these baseline retention periods:

Tax and Financial Records

HMRC requires businesses to keep records for specific periods after the relevant tax year:

  • Corporation Tax records: 6 years from the end of the accounting period
  • VAT records: 6 years from the end of the VAT period
  • PAYE and payroll records: 3 years from the end of the tax year
  • Self-assessment records: 5 years from the 31 January submission deadline
  • Invoices and receipts: 6 years minimum
  • Annual accounts and audit reports: 6 years (private companies), 10 years (public companies)

Employment Records

Under employment law and GDPR, retention periods vary by document type:

  • Payroll and wage records: 6 years after the end of the tax year
  • Recruitment records (unsuccessful candidates): 6-12 months
  • Employment contracts: 6 years after employment ends
  • Timesheets and working time records: 2 years
  • Accident books and records: 3 years from the date of last entry
  • Redundancy records: 6 years from redundancy date
  • Maternity/paternity records: 3 years after the end of the tax year
  • Disciplinary and grievance records: 6 years after case closure

Company Administration

  • Insurance policies: Permanently (or 6 years after expiry for non-relevant policies)
  • Contracts and agreements: 6 years after expiry
  • Company formation documents: Permanently
  • Board meeting minutes: 10 years minimum (permanently recommended)
  • Correspondence: 2 years (unless related to contracts or legal matters)

Sector-Specific Retention Requirements

Different industries face additional obligations when determining how long to keep business records in the UK.

Healthcare Sector

GP practices, clinics, and healthcare providers must follow NHS Records Management Code of Practice guidance:

  • Adult medical records: 8 years after last attendance
  • Children's medical records: Until 25th birthday, or 26th if young person was 17 at conclusion of treatment
  • Maternity records: 25 years
  • Mental health records: 20 years after last contact, or 8 years after death
  • Prescription records: 2 years
  • Patient consent forms: 30 years for adults, until 25th birthday for children

Healthcare organisations handling sensitive personal data must ensure secure destruction through BS EN 15713-compliant shredding services when retention periods expire.

Legal Sector

Solicitors and legal firms have strict retention obligations under SRA guidance:

  • Client files (civil matters): 6 years after matter concludes
  • Client files (criminal matters): 6 years after matter concludes (indefinitely for serious cases)
  • Wills and probate: 15 years minimum (permanently for executed wills)
  • Property transaction files: 15 years
  • Trust documents: 12 years after trust ends
  • Accounting records: 6 years
  • Client identification documents: 5 years after relationship ends

Legal professionals often require on-site shredding services to maintain chain of custody and client confidentiality during document destruction.

Education Sector

Schools, colleges and universities must comply with GDPR alongside sector-specific guidance:

  • Pupil records: Until the pupil reaches 25 years
  • Examination records: 6 years
  • Special educational needs (SEN) records: Until pupil reaches 25 years, then review
  • Child protection records: Until pupil reaches 25 years (DOB + 25 years), then review
  • Accident reports: DOB + 25 years
  • Staff employment records: 6 years after employment ends
  • Exclusion records: Permanent (part of pupil file)

Educational institutions handling safeguarding records require secure, certified destruction with full audit trails when documents reach the end of their retention period.

Financial Services

FCA-regulated firms face comprehensive record-keeping requirements:

  • Client agreements: 5 years from end of relationship
  • Financial promotions: 5 years from communication date
  • Transaction records: 5 years (7 years for MiFID records)
  • Complaints records: 5 years from complaint resolution
  • Suitability records: Indefinitely
  • Anti-money laundering records: 5 years after relationship ends

The Secure Destruction Obligation

Knowing how long to keep business records in the UK is only half the compliance picture. Once retention periods expire, GDPR Article 17 requires you to delete or destroy personal data securely.

Simply binning expired documents isn't compliant. Understanding how to dispose of confidential documents properly is essential. Businesses must:

  1. Use certified destruction methods: Cross-cut shredding to DIN 66399 P-4 security level or higher
  2. Obtain destruction certificates: Proof of compliant disposal for audit trails
  3. Maintain chain of custody: Especially for sensitive documents
  4. Document destruction schedules: Record what was destroyed and when

Cross Cut Shredding provides transparent, compliant destruction services with certificates of destruction issued for every job, whether you choose business collection, drop-in service, or domestic shredding for home office records.

Best Practice: Creating a Document Retention Schedule

Rather than managing retention on an ad-hoc basis, create a formal retention schedule:

  1. Audit existing documents: Identify what you hold and why
  2. Map retention requirements: Apply statutory periods to each document type
  3. Implement classification systems: Label documents with destruction dates
  4. Schedule regular reviews: Quarterly or annually, depending on volume
  5. Arrange secure destruction: Partner with a BS EN 15713-compliant provider

A systematic approach reduces storage costs, minimises data breach risks, and demonstrates compliance during ICO or industry regulator audits. If you're concerned about costs for ongoing shredding services, understanding typical document shredding service cost can help you budget appropriately for compliant disposal.

What Happens If You Don't Comply?

Keeping records too short: HMRC can impose penalties if you cannot produce required records during investigations. Employment tribunals may draw adverse inferences if you've destroyed relevant documents prematurely.

Keeping records too long: ICO can issue fines up to £17.5 million or 4% of global turnover for GDPR breaches involving excessive data retention. Even without formal penalties, data breaches involving outdated records damage reputation and customer trust.

The principle is clear: keep what you must, destroy what you shouldn't. Understanding the GDPR document destruction requirements ensures you meet both minimum retention obligations and maximum data protection standards.

Conclusion: Compliance Made Simple

Understanding how long to keep business records in the UK protects your organisation legally, financially and reputationally. Whether you're a Somerset-based SME, a Dorset healthcare practice, a Devon law firm or a Wiltshire school, applying correct retention periods and secure destruction practices is non-negotiable.

Cross Cut Shredding helps businesses across South West England maintain compliant document lifecycles. Our BS EN 15713-certified services provide secure destruction with full audit trails, and our drop-in facility in Yeovil lets you watch your confidential documents destroyed immediately.

Need to dispose of expired business records securely? View our transparent pricing or contact Cross Cut Shredding today for compliant, certificated destruction services throughout Somerset, Dorset, Devon and Wiltshire.

Check If We Collect In Your Area

Enter your postcode to see our services available near you

Covering Somerset, Dorset and into Devon & Wiltshire

Back to Blog