Email is the backbone of business communication. The average UK office worker sends and receives over 120 emails per day, and for many businesses, email constitutes the primary record of commercial agreements, client instructions, regulatory correspondence, and internal decision-making. Despite this, a surprisingly large number of UK businesses have no formal email retention policy — leaving them exposed to legal risk, compliance failures, and the practical chaos of unmanaged mailboxes growing without limit.
An email retention policy defines how long different categories of email are kept, when and how they are archived, and under what circumstances they are deleted. Getting this right is a balancing act: keep emails too long and you accumulate unnecessary data that increases storage costs and your exposure in the event of a data breach or legal dispute. Delete them too soon and you risk losing evidence needed for regulatory compliance, contractual disputes, or tax investigations. This guide helps UK businesses navigate these competing demands and establish a practical, compliant email retention policy.
Why Email Retention Matters
There are four primary reasons why every UK business needs a formal email retention policy: legal compliance, regulatory requirements, litigation readiness, and operational efficiency.
From a legal perspective, UK GDPR requires that personal data — which includes any email containing information about an identifiable individual — is not kept for longer than necessary for the purpose for which it was collected. The principle of storage limitation means you must be able to justify how long you retain data, and you must delete it when the justification expires. The ICO has made it clear that keeping all emails indefinitely "just in case" does not constitute a lawful retention policy.
From a regulatory perspective, different industries have specific retention requirements. Financial services firms regulated by the FCA must retain certain communications for specified periods. Healthcare organisations handling NHS data must comply with the Records Management Code of Practice. Legal firms must retain client files in accordance with Solicitors Regulation Authority guidance. Even businesses not in regulated sectors must comply with HMRC requirements to retain financial records — including relevant emails — for at least six years.
Under UK GDPR, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (Article 5(1)(e)). This means you need a clear rationale for how long you keep emails containing personal data, and you must delete them when that rationale expires. "We keep everything forever" is not compliant. The ICO recommends conducting a data retention audit and documenting your policy with specific retention periods for different categories of data.
UK Legal Retention Requirements
UK law does not prescribe a single retention period for all emails. Instead, different types of records have different requirements depending on the legislation that applies. The table below summarises the key retention periods that affect email for most UK businesses.
| Record Type | Retention Period | Legal Basis |
|---|---|---|
| Tax and accounting records | 6 years from end of tax year | Companies Act 2006, HMRC requirements |
| VAT records | 6 years | VAT Regulations 1995 |
| Employment records | 6 years after employment ends | Limitation Act 1980 |
| Contract-related correspondence | 6 years after contract ends (12 for deeds) | Limitation Act 1980 |
| Health and safety records | 40 years (injury) / 3 years (general) | Various H&S regulations |
| GDPR subject access requests | Records of compliance: 3 years | UK GDPR best practice |
| Recruitment records (unsuccessful) | 6-12 months | UK GDPR / Equality Act 2010 |
| Client communications (legal) | 6-15 years depending on matter type | SRA requirements |
| Financial services communications | 5-7 years depending on type | FCA SYSC rules |
The six-year period that appears frequently is derived from the Limitation Act 1980, which sets the time limit for bringing most civil claims in England and Wales (five years in Scotland under the Prescription and Limitation (Scotland) Act 1973). This means that business correspondence relevant to contracts, disputes, or financial matters should generally be retained for at least six years after the relevant transaction or relationship ends.
Building Your Email Retention Policy
A practical email retention policy does not need to be a complex legal document. It needs to be clear, specific, and enforceable through technology. The following framework works for most UK SMEs.
Start by categorising the types of email your business sends and receives. For each category, determine the appropriate retention period based on legal requirements, regulatory obligations, and legitimate business need. Document the rationale for each retention period — UK GDPR requires you to be able to explain why you keep data for as long as you do. Establish a process for applying these retention periods consistently, ideally using automated tools rather than relying on individual employees to manage their own mailboxes.
Implementing Retention in Microsoft 365
For UK businesses using Microsoft 365 — which is the vast majority — retention policies can be implemented directly through the Microsoft Purview compliance centre (formerly the Microsoft 365 compliance centre). This provides powerful tools for automating email retention and deletion without requiring manual intervention from users.
Microsoft 365 retention policies allow you to retain email for a specified period, delete email after a specified period, or retain and then delete. Policies can be applied to entire mailboxes, specific users, or based on content conditions such as keywords, sender domains, or sensitivity labels. Retention labels can be applied automatically or manually to individual emails or folders, providing granular control over different categories of content.
Retention policies: Apply organisation-wide rules automatically. Retention labels: Classify individual items for specific retention. Litigation hold: Preserve all email for legal proceedings regardless of retention policy. eDiscovery: Search across all mailboxes for specific content during investigations. Audit logging: Track who accessed, deleted, or modified emails. Data loss prevention: Prevent sensitive emails from being forwarded or downloaded inappropriately.
It is important to understand the difference between Microsoft 365's built-in retention and a proper backup solution. Microsoft 365 retention policies protect against accidental deletion and ensure compliance, but they do not protect against data loss scenarios such as ransomware that encrypts mailbox content, malicious deletion by a compromised admin account, or Microsoft service failures. A dedicated backup solution — such as Veeam Backup for Microsoft 365, Acronis Cyber Protect, or Barracuda Cloud-to-Cloud Backup — provides an independent copy of your email data that can be restored regardless of what happens to your Microsoft 365 environment.
Common Mistakes to Avoid
The most common mistake is having no policy at all. "Keep everything forever" is not a policy — it is a liability. Under UK GDPR, retaining personal data longer than necessary is itself a compliance violation, regardless of whether a breach occurs. It also increases your risk exposure in litigation, where opposing parties can request disclosure of all relevant communications. The more email you retain, the more you may be required to disclose.
Retention Policy Mistakes
- No written policy — retention left to individual discretion
- "Keep everything forever" approach
- Deleting emails too aggressively without legal review
- Relying on users to manually classify and delete emails
- No litigation hold process for legal disputes
- Confusing Microsoft 365 retention with proper backup
Retention Policy Best Practices
- Written policy with documented rationale for each period
- Different retention periods for different email categories
- Legal review of retention periods annually
- Automated enforcement via Microsoft 365 retention policies
- Clear litigation hold procedure that overrides normal deletion
- Independent backup solution alongside retention policies
Another common mistake is failing to implement a litigation hold process. When legal proceedings are anticipated or commenced, you have a legal obligation to preserve all potentially relevant evidence — including email. If your automated retention policy deletes emails that are relevant to ongoing or anticipated litigation, this constitutes spoliation of evidence and can result in adverse inferences, costs penalties, or even contempt of court findings. Your retention policy must include a clear process for imposing litigation holds that override normal deletion schedules.
Practical Steps to Get Started
If your business does not currently have an email retention policy, here is a practical approach to implementing one. First, conduct an audit of your current email environment. How much email data do you have? How far back does it go? Are there any existing retention or deletion rules in place? What regulatory requirements apply to your business?
Second, develop your policy framework. Identify the categories of email your business handles, determine the appropriate retention period for each based on the legal and regulatory guidance outlined above, and document the rationale. Have the policy reviewed by your legal adviser to ensure it meets your specific obligations.
Third, implement the technical controls. Configure Microsoft 365 retention policies to enforce your policy automatically. Set up retention labels for categories that require different treatment. Deploy a backup solution to protect against data loss. Test the system to ensure retention and deletion work as expected.
Fourth, communicate the policy to all staff. Explain why the policy exists, what it means for their day-to-day email usage, and what they need to do (which, if you have implemented automated controls properly, should be very little). Include the policy in your staff handbook and cover it in security awareness training.
Finally, review the policy annually. Legal requirements change, your business evolves, and new regulations may introduce additional obligations. An annual review ensures your policy remains fit for purpose and demonstrates ongoing compliance to regulators.
Need Help with Email Retention?
Cloudswitched helps UK businesses implement compliant email retention policies using Microsoft 365 Purview, backed by enterprise-grade email backup. We handle the technical configuration so you can focus on your business.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.