Keeping documents longer than you need to is a GDPR risk. Deleting them too soon can be an employment or tax law problem. For most small businesses, data retention sits in an uncomfortable middle ground — something everyone knows they should have a policy on, but few actually do.
This guide sets out the recommended retention periods for the most common categories of business documents, explains the legal reasoning behind them, and describes how to put a workable retention policy in place.
Why data retention matters under UK GDPR
UK GDPR's storage limitation principle (Article 5(1)(e)) states that personal data must not be kept in a form that identifies individuals for longer than is necessary for the purpose for which it was collected.
In practice, this means you need a defined retention period for each type of personal data you hold, that period should be documented (in your RoPA and retention policy), when the period expires the data should be deleted or anonymised, and you should be able to demonstrate that you're following your own policy.
There is no single master list of retention periods in UK GDPR — the "necessary" test depends on your purpose and any relevant statutory obligations. The periods below are derived from those statutory obligations and ICO guidance.
HR and employment records
| Document | Minimum retention | Recommended | Notes |
|---|---|---|---|
| Recruitment records (unsuccessful applicants) | — | 6 months | Covers potential discrimination claims |
| Recruitment records (successful applicants) | Employment duration | Duration + 6 years | Merge into employee file |
| Employment contract | Employment duration | Duration + 6 years | Limitation period for contract claims |
| Payroll records | 3 years (HMRC) | 6 years | 6 years covers tax and contract disputes |
| P60 / P45 | 3 years | 6 years | Keep in case of HMRC enquiry |
| Expenses records | 3 years | 6 years | HMRC requirement |
| Disciplinary and grievance records | — | 1–2 years after resolution | Longer for serious matters; review case by case |
| Sickness absence records | — | 3 years | Longer if related to ongoing condition or legal claim |
| Training records | Employment duration | Duration + 6 years | May be relevant to future claims |
| DBS check results | — | Do not retain the certificate | Record that check was done and the outcome only |
| Redundancy records | — | 6 years |
Financial and accounting records
| Document | Minimum retention | Notes |
|---|---|---|
| Invoices (sales and purchase) | 6 years | HMRC requirement (3 years for sole traders, 6 recommended) |
| Bank statements | 6 years | |
| VAT records | 6 years | HMRC requirement |
| Expense receipts | 6 years | |
| Annual accounts | 6 years (companies) / 5 years (sole traders) | Companies House requirement for limited companies |
| PAYE records | 3 years minimum | 6 years recommended |
| Tax returns | 6 years | 20 years if HMRC suspects deliberate non-compliance |
Contracts and legal documents
| Document | Minimum retention | Notes |
|---|---|---|
| Signed contracts (standard) | Contract duration + 6 years | Limitation period for breach of contract claims |
| Contracts executed as deeds | Contract duration + 12 years | Longer limitation period applies |
| Insurance policies | Policy duration + 3 years minimum | Longer for employer's liability |
| Employer's liability insurance certificates | 40 years | Relates to potential long-latency illness claims |
| Lease agreements | Lease duration + 6 years | |
| Board minutes (limited companies) | 10 years | Companies Act requirement |
Customer and marketing data
| Document | Retention | Notes |
|---|---|---|
| Customer account records | Duration of relationship + 6 years | Covers potential disputes |
| Inactive customer records | Review after 2–3 years of inactivity | Delete or re-obtain consent for marketing |
| Marketing consent records | Until consent withdrawn + reasonable period | Keep evidence of how and when consent was obtained |
| Email marketing unsubscribe records | Indefinitely (suppression list) | You need to know not to contact them |
| Website enquiry forms | 6–12 months if no relationship formed |
Health and safety records
| Document | Retention | Notes |
|---|---|---|
| Accident book entries | 3 years from date of incident | |
| RIDDOR reports | 3 years | |
| Risk assessments | Duration of relevance + 5 years | |
| Health surveillance records | 40 years | Long-latency occupational health conditions |
A practical note on deletion
Retention periods apply to identified personal data. When a period expires, you should either delete the document or record entirely, or anonymise it — removing all data that could identify the individual.
Be aware that deletion needs to cover all locations: live systems, backup copies, email attachments, and any copies held by processors. A document deleted from your main system but retained in a backup is not compliant deletion.
How to implement a retention policy
Audit what you hold
List the categories of personal data your business holds, where they're stored, and roughly how long you've been keeping them.
Assign retention periods
Using the tables above as a starting point, assign a defined retention period to each category. Document the legal or business basis for each.
Write a short retention policy
One or two pages setting out your categories, periods, and deletion process. The important thing is that it exists and staff know about it.
Schedule regular reviews
Build a recurring calendar reminder — annually works for most businesses — to review what's due for deletion.
Delete systematically
When a retention period expires, delete the data. Document that you did so.
How Quantra helps with data retention
Knowing your retention policy and actually acting on it are different problems. The Q-ROT workbench (Retention Obligation Tool) identifies documents that have reached or passed their retention period, flags them for review, and supports the deletion or archiving workflow — with an audit trail showing you acted on your obligations.
Learn more about Q-ROT →