Why businesses should regularly review which documents they keep
Ask most business owners what their document retention policy is and you will get one of three answers. A confident but vague reference to “seven years” (it is usually six, and it depends on the record type). A genuine shrug. Or a detailed answer about what they must keep, paired with complete silence on what they are actually allowed to get rid of.
That last gap is where the problems tend to accumulate. Keeping everything indefinitely feels like the cautious option. It is not. It creates a larger and more exposed data footprint, a more expensive and time-consuming litigation disclosure exercise, and a growing stock of information with an increasingly questionable legal basis for keeping it. The ICO is clear on this point: personal data held beyond its necessary period is not just unnecessary — it is non-compliant.
There is no single retention period
This is the first thing worth understanding. GOV.UK guidance on company records sets six years for company tax records from the end of the relevant financial year, and HMRC sets the same for VAT records. PAYE and payroll records must be kept for three years from the end of the relevant tax year. National Minimum Wage records now require six years. Right-to-work copies must be held for the duration of employment and two years after, then securely destroyed. Copies of members’ resolutions and general meeting minutes must be kept for ten years under the Companies Act 2006.
Companies House sits slightly separately. Private companies must keep accounting records for three years from the date they were made; public companies for six. That already creates a conflict with the HMRC six-year rule depending on which obligation you are trying to satisfy. Apply a single blanket period to everything and you will almost certainly either destroy records you were required to keep or retain material you were entitled to dispose of years ago.
The rules also change. From 18 November 2025, under the Economic Crime and Corporate Transparency Act 2023, companies are no longer required to maintain internal registers of directors, directors’ residential addresses, secretaries or persons with significant control. That information still needs to be registered and kept current at Companies House, and the register of members remains a requirement. A retention policy written three years ago and never revisited may simply be wrong.
Civil litigation adds another layer on top. The Limitation Act 1980 sets six years for simple contract claims and twelve years for deeds, with a fifteen-year longstop under section 14B for certain negligence claims. Statutory minimums from HMRC or Companies House do not account for these. Sector requirements, insurance expectations and the possibility of litigation all need to sit alongside the regulatory baseline, not replace it.
Why over-retention is a problem
The ICO’s storage limitation principle under UK GDPR is not optional or advisory. Personal data must be kept only for as long as it is needed for the purpose it was collected. Retaining it beyond that is a breach of the principle, and the ICO expects organisations to have documented retention periods rather than an unexamined policy of keeping everything.
The practical consequences of over-retention are also significant. More data held unnecessarily means a larger volume that can be lost, accessed without authority or exposed in a breach. The ICO points out that keeping only necessary data means less to protect and cheaper protection of what genuinely matters.
In litigation, the problem is even more direct. Civil procedure rules require parties to preserve disclosable documents once litigation is contemplated, including documents that would otherwise have been destroyed under a standard retention policy. A business that has accumulated years of records with no review faces a disclosure exercise that is vastly larger and more expensive than it needed to be. Disciplined retention does not undermine evidence preservation. It makes it more targeted.
For businesses with any EU-facing activity — offering services to people in the EEA, operating there or monitoring behaviour there — EU GDPR applies alongside the UK regime. The European Data Protection Board’s SME guidance requires personal data to be deleted or anonymised once it is no longer needed for the purpose it was processed. The obligation is essentially identical, and a retention schedule that satisfies one will generally satisfy the other.
Standard retention periods at a glance
The table below covers the most common statutory periods for ordinary commercial records. Sector-specific obligations may differ and this is not a substitute for legal advice.
| Record type | Minimum retention period | Primary source |
|---|---|---|
| Company tax records | 6 years from end of relevant financial year | HMRC |
| VAT records | 6 years | HMRC VAT Notice 700/21 |
| PAYE and payroll records | 3 years from end of relevant tax year | HMRC |
| National Minimum Wage records | 6 years | BEIS / HMRC |
| Right-to-work copies | Duration of employment plus 2 years | Immigration (Restrictions on Employment) Order 2007 |
| Members’ resolutions and general meeting minutes | 10 years | Companies Act 2006, s.355 |
| Accounting records (private companies) | 3 years from date made | Companies Act 2006, s.388 |
| Accounting records (public companies) | 6 years from date made | Companies Act 2006, s.389 |
| Simple contract claims (limitation period) | 6 years | Limitation Act 1980 |
| Deed-based claims (limitation period) | 12 years | Limitation Act 1980 |
Secure destruction is part of the process, not an afterthought
Identifying records that have passed their retention period is useful. What happens next matters just as much.
The ICO’s security guidance makes clear that physical and organisational controls apply throughout the life of a record, including the end of it. Documents awaiting destruction must be stored in a locked area, not left in an open office environment or a general waste bag. The ICO is explicit that cross-cut or micro-cut shredding is an accepted and practical disposal method for paper records, whether carried out in-house or by a specialist provider.
If a third party handles the destruction, the ICO expects a written contract and evidence that disposal took place. A certificate of destruction is the standard form of that evidence: it records the collection date, shredding date, weight of material processed, security level achieved and a destruction reference number.
For businesses that review their records on a regular basis, a scheduled shredding service removes the need to manage confidential waste disposal ad hoc. Collections happen at agreed intervals and the certificate follows each one. For businesses that have not reviewed an archive for some time and need a larger clearout, one-off document destruction can handle a significant volume without requiring an ongoing contract.
Shredsec provides both. Our off-site shredding service collects material in locked, GPS-tracked vehicles and processes everything within 24 hours. Where a team prefers to see destruction happen, our on-site shredding service brings a mobile truck to the premises. Both operate to DIN Level 3 cross-cut standard. Our guide to shredding security levels sets out what that means and when a higher classification might be appropriate.
A word on digital records: the ICO warns that deleted data can persist in recycle bins, backups and archived storage. A retention review that covers filing cabinets but ignores shared drives, email archives and decommissioned laptops is incomplete. Paper and digital need to be reviewed together.
Building a retention policy that actually works
The goal is a written schedule, not a single rule applied to everything. The schedule should identify each record category, the purpose for which it is held, whether it contains personal data, the source of the retention period, the trigger date for starting the clock, where the record is stored, who owns it and what happens when it reaches the end of its life.
Ownership matters. The ICO’s accountability guidance says responsibility for information governance should sit at board level, with clear reporting lines. In practice, the board approves the policy; compliance, legal or the DPO maintains the schedule; finance and HR validate the periods that apply in their areas; IT controls storage, backups and digital deletion; and whoever manages physical records handles archive retrieval, confidential waste bins and destruction logs.
Review should be both regular and triggered by events. A formal look at the schedule once a year is a sensible baseline. But it should also happen after a regulatory change, a system migration, a merger, an office move or the arrival of a litigation threat. And every policy needs a mechanism for pausing disposal when a legal hold is in place. When that hold lifts, destruction should be scheduled and evidenced — not left to whoever happens to notice.
A practical review checklist
| Checklist item | Suggested owner |
|---|---|
| Have we listed every major record category, paper archive, email store, shared drive and third-party repository holding business records or personal data? | Department owners with IT and compliance |
| Does each category have a defined retention period, legal or business rationale, trigger date and disposal method? | Compliance, legal or DPO where applicable |
| Have we identified exceptions for tax, payroll, minimum wage, right-to-work records, company law obligations, limitation periods and litigation holds? | Compliance or legal with finance and HR |
| Are secure storage, access controls, confidential waste arrangements and destruction evidence documented for both paper and digital records? | IT, information security and facilities |
| Do we carry out at least an annual formal review and retain destruction logs or certificates where applicable? | Board sponsor plus compliance lead |
If your archive has not been reviewed recently
Records that have passed their retention period are not assets. They are a liability — and a growing one. A review exercise that identifies what can legitimately be destroyed now will reduce your exposure, simplify any future disclosure process and cut the cost of protecting information that serves no further purpose.
Shredsec provides confidential waste disposal for businesses across London, East Anglia and the East Midlands. Whether you need a one-off clearout or a regular collection service, we issue a certificate of destruction for every job and there is no minimum volume. Get in touch to discuss what you need.
This article is general information and is not legal advice. Retention obligations vary by sector and individual circumstances. Please seek specific legal or compliance advice where relevant.
Contact Shredsec to discuss your shredding requirements.