Every UK business that takes backup seriously eventually confronts the same question: how long should we keep our backups? The answer is rarely simple. Keep data too long and you accumulate vast storage costs, GDPR complications, and an ever-growing attack surface. Delete data too soon and you may find yourself unable to recover from a slow-burning ransomware infection, respond to a legal discovery request, or meet regulatory retention requirements.
A backup retention policy defines how long different types of backup data are stored before being deleted or overwritten. It is not a one-size-fits-all setting — different data types, regulatory requirements, and business needs demand different retention periods. A well-designed retention policy balances legal obligations, business requirements, storage costs, and data protection principles to keep the right data for the right amount of time.
This guide explains how to build a backup retention policy for a UK business, covering the regulatory landscape, common retention schemes, cost implications, and the practical steps to implement and maintain your policy.
Why Retention Policies Matter
Without a clear retention policy, businesses tend to adopt one of two equally problematic approaches. Some keep everything forever, accumulating enormous volumes of backup data that drives up storage costs, creates GDPR compliance issues (since UK GDPR requires that personal data is not kept longer than necessary), and increases the potential impact of a data breach. Others keep too little, overwriting old backups after just a few days, leaving them unable to recover from incidents that are only discovered weeks or months later.
A retention policy addresses both extremes by defining clear, documented rules for how long different types of data are kept. It provides certainty for IT teams managing backup storage, compliance evidence for regulators and auditors, protection against legal discovery obligations, defence against slow-burn threats like ransomware and insider attacks, and cost predictability for storage budgets.
Article 5(1)(e) of UK GDPR — the storage limitation principle — requires that personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. This means your backup retention periods must be justifiable. Keeping personal data in backups indefinitely "just in case" is not compliant. Your retention policy should document the specific reason for each retention period and how it relates to a legitimate business or legal requirement.
UK Regulatory Retention Requirements
Several UK regulations specify minimum retention periods for certain types of data. Your backup retention policy must, at minimum, meet these requirements.
| Data Type | Regulation | Minimum Retention Period |
|---|---|---|
| Financial records (accounts, invoices, receipts) | Companies Act 2006 / HMRC | 6-7 years |
| VAT records | HMRC VAT regulations | 6 years |
| Payroll records | HMRC PAYE regulations | 3 years after the end of the tax year |
| Employee records | Employment law / HMRC | 6 years after employment ends |
| Health and safety records | Various H&S regulations | 3-40 years (depends on type) |
| Client contracts | Limitation Act 1980 | 6 years after contract ends |
| Medical records (healthcare sector) | NHS retention schedule | Up to 30 years |
| Anti-money laundering records | Money Laundering Regulations 2017 | 5 years after business relationship ends |
Common Backup Retention Schemes
The most widely used backup retention scheme is the Grandfather-Father-Son (GFS) method, which creates a hierarchy of daily, weekly, monthly, and annual backup points with different retention periods for each tier.
The GFS Retention Model
In a typical GFS scheme, daily backups (the "sons") are retained for a short period — typically 7 to 30 days. Weekly backups (the "fathers") are retained for 4 to 12 weeks. Monthly backups (the "grandfathers") are retained for 12 to 24 months. Annual backups may be retained for 7 to 10 years, depending on regulatory requirements.
This approach provides granular recovery options for recent events (you can restore to any day within the last week or month) while also providing long-term recovery points at lower granularity (monthly snapshots going back a year or more) for compliance and historical purposes.
Ransomware Considerations
The rise of ransomware has forced many businesses to reconsider their retention periods. Modern ransomware variants often operate silently for weeks or months, encrypting files gradually or remaining dormant until a critical mass of backups has been infected. If your daily backups only go back 14 days and the ransomware has been present for 30 days, every single backup in your rotation is compromised.
For this reason, we now recommend that businesses maintain at least 90 days of daily backup retention — ideally longer — along with monthly backups going back at least 12 months. This provides a reasonable probability of having a clean recovery point even if a ransomware infection goes undetected for an extended period.
Strong Retention Policy
- 90+ days of daily backups for ransomware protection
- 12+ months of monthly backups for compliance
- 7+ years of annual backups for financial records
- Immutable backup copies that cannot be altered or deleted
- Off-site or cloud copies following the 3-2-1 rule
- Documented policy reviewed and updated annually
Weak Retention Policy
- Only 7-14 days of backups — inadequate for ransomware recovery
- No monthly or annual retention tiers
- All backups stored on same network as production systems
- No immutable copies — ransomware can encrypt backups too
- Retention periods not aligned to regulatory requirements
- No documented policy — ad hoc decisions by IT staff
Storage Cost Management
Longer retention periods mean more storage, and storage costs money. The key to managing costs is using tiered storage — keeping recent backups on fast, accessible storage and migrating older backups to cheaper, slower storage tiers.
Cloud storage platforms like Microsoft Azure and Amazon Web Services offer multiple storage tiers designed for exactly this purpose. Azure, for example, offers Hot storage for frequently accessed data, Cool storage for data accessed less than once a month, Cold storage for data accessed less than once a quarter, and Archive storage for data rarely accessed and tolerant of retrieval delays of hours.
The cost difference between tiers is dramatic. Azure Hot storage costs approximately £0.02 per GB per month, while Archive storage costs around £0.001 per GB per month — a twentyfold reduction. By automatically moving older backups to cooler tiers as they age, you can maintain long retention periods at a fraction of the cost of keeping everything on hot storage.
Building Your Retention Policy
A practical backup retention policy should follow these steps. First, classify your data by type and identify any regulatory retention requirements that apply. Second, determine your business-specific retention needs — how far back might you realistically need to recover data, and for what reasons? Third, balance these requirements against storage costs to determine feasible retention periods. Fourth, document the policy, including the rationale for each retention period. Fifth, implement the policy in your backup software, configuring automated expiry and tiering rules. Sixth, review the policy at least annually, or whenever regulations change or a significant incident occurs.
Your policy should be approved by business stakeholders, not just IT. Data retention is a business decision with legal, financial, and operational implications. IT implements the policy; the business defines it.
Need Help with Your Backup Strategy?
Cloudswitched designs and manages backup solutions for UK businesses, including retention policy development, cloud backup implementation, and ongoing monitoring. We ensure your data is protected, compliant, and recoverable — without unnecessary cost.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.