How long should a UK business keep its records?

It depends on the record type. Company accounting records must be kept for 6 years under the Companies Act 2006, payroll and tax records for at least 3 years (commonly 6) per HMRC, and health and safety records typically for 3 years or longer for hazardous-substance exposure. Personal data should be kept no longer than necessary under UK GDPR. A written retention schedule should map each record type to its specific period.

What is the biggest document retention mistake?

Keeping everything indefinitely with no written retention schedule. It breaches the UK GDPR storage limitation principle, increases risk if there is a data incident, and wastes money on space that should have been freed years ago.

Is it illegal to destroy business records too early?

Destroying records before their statutory or legal retention period expires can leave a business unable to meet HMRC, tribunal, or litigation requirements, and courts may draw an adverse inference. Destruction should always follow a documented retention schedule and use secure, certificated shredding.

Who should own document retention in a business?

A single named owner, usually within compliance, legal, or operations — not IT by default. They maintain the retention schedule, authorise destruction, and review the policy at least annually as legislation changes.

What Are the Most Common Mistakes Businesses Make with Document Retention?

The most common document retention mistakes UK businesses make are keeping everything forever, having no written retention schedule, deleting records too early, storing files where no one can find them, and treating retention as an IT problem rather than a legal and operational one. Each of these creates real exposure — to GDPR enforcement, failed audits, lost litigation, and wasted money. Getting retention right is not about hoarding paper or shredding it on a whim; it is about keeping the right records, for the right length of time, in a way you can prove.

Mistake 1: Keeping Everything “Just in Case”

The instinct to keep every document indefinitely feels safe, but under the UK GDPR and the Data Protection Act 2018 it is the opposite. The storage limitation principle requires that personal data is kept no longer than necessary for the purpose it was collected. An office full of decade-old personnel files, expired customer records, and superseded contracts is not prudence — it is a standing breach and a larger attack surface if there is ever a data incident.

It is also expensive. With commercial floor space in the UK commonly costing £30–£80 per square foot per year, dedicating rooms to records that should have been destroyed years ago quietly drains budget that off-site document storage would handle for a fraction of the cost.

Mistake 2: No Written Retention Schedule

Many businesses run on folklore — “we think we have to keep those for seven years.” A defensible programme needs a documented retention schedule that maps each record type to a retention period and a legal basis. UK periods vary widely and are not optional:

Statutory payroll and tax records — at least 3 years after the end of the tax year (HMRC), commonly held for 6
Company accounting records — 6 years from the end of the financial year under the Companies Act 2006
Health and safety / accident records — typically 3 years, longer for incidents involving exposure to hazardous substances
Pension and occupational scheme records — often 6+ years, sometimes for the life of the scheme member
CCTV and routine personal data — usually days to weeks unless there is a specific reason to keep it

Without this written down, decisions get made inconsistently by whoever is clearing a cupboard that week — exactly the situation regulators and auditors treat as a red flag.

Mistake 3: Destroying Records Too Early

Over-retention gets attention, but premature destruction is just as damaging and harder to recover from. Shredding contracts before the limitation period expires, binning HR files needed for a tribunal, or clearing financial records before HMRC’s window closes can turn a manageable dispute into an indefensible one. If a record that should exist cannot be produced, the adverse inference usually falls on the business that destroyed it.

This is why retention and destruction must be controlled processes. Secure, certificated shredding tied to a retention schedule — not ad hoc clear-outs — gives you a defensible audit trail showing what was destroyed, when, and on what authority.

Mistake 4: Poor Indexing and Retrieval

A retention policy is worthless if you cannot locate the record it protects. Boxes stacked without barcodes, files with no index, and “the archive” being a room nobody has audited in years all lead to the same place: a subject access request or legal hold comes in, the clock starts, and the team cannot find the documents in time.

Under UK GDPR you generally have one calendar month to respond to a data subject access request. Missing that because files are untracked is a process failure, not bad luck. Barcoded box and file-level tracking, or digitising high-demand records through document scanning, turns retrieval from a panic into a lookup.

Mistake 5: Treating Retention as Someone Else’s Job

Retention fails when it has no owner. It is often assumed to be IT’s responsibility, but IT controls systems, not legal retention periods or the paper archive in the basement. Effective programmes assign a named owner — frequently within compliance, legal, or operations — who maintains the schedule, signs off destruction, and reviews the policy at least annually as legislation changes.

The Information Commissioner’s Office expects organisations to demonstrate accountability, and fines for serious data protection failures can reach up to £17.5m or 4% of global annual turnover. A retention programme with a clear owner is one of the cheapest forms of insurance against that exposure.

How to Avoid These Mistakes

Build a written retention schedule mapping every record type to a period and legal basis
Review it annually and whenever relevant law changes
Separate “keep”, “review”, and “destroy” so nothing is decided by accident
Use barcoded tracking or scanning so any record can be produced on demand
Destroy only through secure, certificated shredding with a documented trail
Give one person clear ownership of the whole programme

Done well, document retention stops being a liability sitting in storerooms and becomes a controlled, provable process. For more practical guidance, see the rest of our resources.