Email is the backbone of business communication. The average UK office worker sends and receives over 120 emails per day, and for many businesses, email constitutes the primary record of commercial agreements, client instructions, regulatory correspondence, and internal decision-making. Despite this, a surprisingly large number of UK businesses have no formal email retention policy — leaving them exposed to legal risk, compliance failures, and the practical chaos of unmanaged mailboxes growing without limit.
An email retention policy defines how long different categories of email are kept, when and how they are archived, and under what circumstances they are deleted. Getting this right is a balancing act: keep emails too long and you accumulate unnecessary data that increases storage costs and your exposure in the event of a data breach or legal dispute. Delete them too soon and you risk losing evidence needed for regulatory compliance, contractual disputes, or tax investigations. This guide helps UK businesses navigate these competing demands and establish a practical, compliant email retention policy.
Why Email Retention Matters
There are four primary reasons why every UK business needs a formal email retention policy: legal compliance, regulatory requirements, litigation readiness, and operational efficiency.
From a legal perspective, UK GDPR requires that personal data — which includes any email containing information about an identifiable individual — is not kept for longer than necessary for the purpose for which it was collected. The principle of storage limitation means you must be able to justify how long you retain data, and you must delete it when the justification expires. The ICO has made it clear that keeping all emails indefinitely "just in case" does not constitute a lawful retention policy.
From a regulatory perspective, different industries have specific retention requirements. Financial services firms regulated by the FCA must retain certain communications for specified periods. Healthcare organisations handling NHS data must comply with the Records Management Code of Practice. Legal firms must retain client files in accordance with Solicitors Regulation Authority guidance. Even businesses not in regulated sectors must comply with HMRC requirements to retain financial records — including relevant emails — for at least six years.
Litigation Readiness and Legal Disclosure
Beyond regulatory compliance, email retention plays a critical role in litigation readiness. Under the Civil Procedure Rules, parties to legal proceedings in England and Wales have a duty of disclosure — they must identify and make available documents that are relevant to the issues in dispute. In modern commercial litigation, email is invariably the most significant category of disclosable documents. Solicitors regularly report that email evidence forms the backbone of the majority of commercial disputes, employment tribunal claims, and regulatory investigations.
If your organisation cannot produce relevant emails because they were deleted under an ad hoc or non-existent retention policy, the consequences can be severe. Courts may draw adverse inferences — meaning they may assume the missing emails contained information unfavourable to your position. In extreme cases, the court may strike out claims or defences, award costs against the party that failed to preserve evidence, or refer the matter for contempt proceedings. The case of Earles v Barclays Bank highlighted how the failure to retain electronic communications can fundamentally undermine a party's litigation position.
Operational Efficiency and Knowledge Management
The operational benefits of a well-structured email retention policy are often overlooked. Without systematic retention, mailboxes grow without limit — it is not uncommon for long-serving employees to have mailboxes exceeding 20GB, containing tens of thousands of emails accumulated over years. This creates practical problems: search performance degrades, migration becomes time-consuming and expensive, and departing employees leave behind unmanageable archives that nobody has time to review.
A structured retention policy, combined with proper archiving, transforms email from a liability into a searchable knowledge base. When a client queries a decision made three years ago, or a supplier disputes the terms of a historic order, employees can quickly locate the relevant correspondence without trawling through thousands of irrelevant messages. This improved searchability translates directly into time savings and more confident decision-making. Organisations that implement structured email management consistently report that staff spend 15 to 20 per cent less time searching for information in their mailboxes.
Under UK GDPR, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (Article 5(1)(e)). This means you need a clear rationale for how long you keep emails containing personal data, and you must delete them when that rationale expires. "We keep everything forever" is not compliant. The ICO recommends conducting a data retention audit and documenting your policy with specific retention periods for different categories of data.
UK Legal Retention Requirements
UK law does not prescribe a single retention period for all emails. Instead, different types of records have different requirements depending on the legislation that applies. The table below summarises the key retention periods that affect email for most UK businesses.
| Record Type | Retention Period | Legal Basis |
|---|---|---|
| Tax and accounting records | 6 years from end of tax year | Companies Act 2006, HMRC requirements |
| VAT records | 6 years | VAT Regulations 1995 |
| Employment records | 6 years after employment ends | Limitation Act 1980 |
| Contract-related correspondence | 6 years after contract ends (12 for deeds) | Limitation Act 1980 |
| Health and safety records | 40 years (injury) / 3 years (general) | Various H&S regulations |
| GDPR subject access requests | Records of compliance: 3 years | UK GDPR best practice |
| Recruitment records (unsuccessful) | 6-12 months | UK GDPR / Equality Act 2010 |
| Client communications (legal) | 6-15 years depending on matter type | SRA requirements |
| Financial services communications | 5-7 years depending on type | FCA SYSC rules |
The six-year period that appears frequently is derived from the Limitation Act 1980, which sets the time limit for bringing most civil claims in England and Wales (five years in Scotland under the Prescription and Limitation (Scotland) Act 1973). This means that business correspondence relevant to contracts, disputes, or financial matters should generally be retained for at least six years after the relevant transaction or relationship ends.
Industry-Specific Considerations
While the general six-year rule provides a useful baseline, many sectors face additional or more stringent retention requirements that must be factored into any email retention policy. Financial services firms regulated by the Financial Conduct Authority must retain communications records in accordance with SYSC 9 (the Senior Management Arrangements, Systems and Controls sourcebook). MiFID II imposes particularly onerous requirements on investment firms, mandating that records of telephone conversations and electronic communications relating to client orders must be retained for a minimum of five years, and up to seven years at the request of the FCA.
Healthcare organisations in England must follow the NHS Records Management Code of Practice, which specifies retention periods ranging from three years for routine administrative records to 30 years or more for certain clinical records. Legal firms must comply with the Solicitors Regulation Authority requirements, which generally recommend retaining client files for a minimum of six years after the matter concludes, though certain categories — particularly those involving minors, property transactions, or wills — may require retention of 15 years or more.
Construction companies face unique requirements under the Construction (Design and Management) Regulations 2015 and the Defective Premises Act 1972, which was amended by the Building Safety Act 2022 to extend the limitation period for claims related to dwelling defects to 30 years for existing buildings. Any email correspondence relating to building design, safety decisions, or material specifications should be retained accordingly. Similarly, businesses involved in insurance broking must retain records for at least three years after the policy expires, as required by the FCA Insurance Conduct of Business sourcebook.
The education sector is another area where retention requirements extend beyond the standard six-year period. Schools and universities must retain certain student records — including safeguarding records — for 25 years or until the student reaches the age of 25, whichever is longer. Email correspondence that forms part of a safeguarding record must be treated with the same retention requirements as formal records.
Building Your Email Retention Policy
A practical email retention policy does not need to be a complex legal document. It needs to be clear, specific, and enforceable through technology. The following framework works for most UK SMEs.
Email Classification and Categorisation
The foundation of any effective retention policy is a clear classification scheme. Rather than treating all emails identically, your policy should define distinct categories based on the content and purpose of the communication. A practical approach for most UK businesses involves five to seven categories: financial and tax-related correspondence, contractual and commercial communications, employment and HR-related emails, regulatory and compliance correspondence, client and supplier communications, internal operational messages, and marketing or promotional content.
Each category should have a defined retention period based on the legal and regulatory requirements that apply, together with a documented rationale explaining why that period was chosen. For instance, you might retain financial correspondence for seven years (six years required by HMRC, plus a one-year buffer), whilst internal operational emails such as meeting room bookings or social event planning might be retained for just 12 months. The key principle is proportionality — the retention period should be justified by a specific legal, regulatory, or legitimate business need.
Applying Retention to Shared Mailboxes and Distribution Lists
Many businesses overlook the retention implications of shared mailboxes, distribution lists, and group email addresses. A shared mailbox used by a customer service team, for example, may contain a mixture of routine enquiries (suitable for short retention), contractual communications (requiring six-year retention), and complaints that could lead to legal proceedings (requiring retention until the limitation period expires). Your policy should address how shared mailboxes are managed and who is responsible for classifying their contents. In practice, the most effective approach is to apply the longest applicable retention period to the entire shared mailbox, whilst using retention labels to flag individual items that can be deleted sooner.
Start by categorising the types of email your business sends and receives. For each category, determine the appropriate retention period based on legal requirements, regulatory obligations, and legitimate business need. Document the rationale for each retention period — UK GDPR requires you to be able to explain why you keep data for as long as you do. Establish a process for applying these retention periods consistently, ideally using automated tools rather than relying on individual employees to manage their own mailboxes.
Implementing Retention in Microsoft 365
For UK businesses using Microsoft 365 — which is the vast majority — retention policies can be implemented directly through the Microsoft Purview compliance centre (formerly the Microsoft 365 compliance centre). This provides powerful tools for automating email retention and deletion without requiring manual intervention from users.
Microsoft 365 retention policies allow you to retain email for a specified period, delete email after a specified period, or retain and then delete. Policies can be applied to entire mailboxes, specific users, or based on content conditions such as keywords, sender domains, or sensitivity labels. Retention labels can be applied automatically or manually to individual emails or folders, providing granular control over different categories of content.
Retention policies: Apply organisation-wide rules automatically. Retention labels: Classify individual items for specific retention. Litigation hold: Preserve all email for legal proceedings regardless of retention policy. eDiscovery: Search across all mailboxes for specific content during investigations. Audit logging: Track who accessed, deleted, or modified emails. Data loss prevention: Prevent sensitive emails from being forwarded or downloaded inappropriately.
It is important to understand the difference between Microsoft 365's built-in retention and a proper backup solution. Microsoft 365 retention policies protect against accidental deletion and ensure compliance, but they do not protect against data loss scenarios such as ransomware that encrypts mailbox content, malicious deletion by a compromised admin account, or Microsoft service failures. A dedicated backup solution — such as Veeam Backup for Microsoft 365, Acronis Cyber Protect, or Barracuda Cloud-to-Cloud Backup — provides an independent copy of your email data that can be restored regardless of what happens to your Microsoft 365 environment.
Configuring Retention Policies Step by Step
Setting up retention policies in Microsoft 365 requires careful planning to avoid unintended data loss. Begin by creating retention policies at the organisation level using the Microsoft Purview compliance portal. Navigate to Data lifecycle management, then Retention policies, and create a new policy for each of your defined email categories. For each policy, specify whether it applies to Exchange email, and define the retention period and the action to take when the period expires — either delete the content automatically or trigger a disposition review.
Retention labels provide more granular control than organisation-wide policies. Create labels for specific email categories — such as Tax Records (7 Years) or Client Correspondence (6 Years) — and configure them to be applied automatically based on conditions such as keywords in the subject line, the sender domain, or the presence of specific sensitive information types. Auto-apply label policies can identify emails containing financial keywords (invoice, payment, VAT, HMRC) and automatically apply the appropriate retention label, removing the burden from individual users.
Managing the Interplay Between Retention and Deletion
One of the most critical aspects of Microsoft 365 retention configuration is understanding the hierarchy of retention settings. When multiple retention policies or labels apply to the same email, Microsoft 365 follows a set of precedence rules: retention always wins over deletion, the longest retention period wins, and explicit inclusion wins over implicit inclusion. This means that if one policy specifies retain for 7 years and another specifies delete after 2 years, the email will be retained for 7 years. Understanding these rules is essential to avoid situations where emails are deleted prematurely because a shorter retention policy was applied without considering other applicable policies.
It is also important to configure the Recoverable Items folder settings correctly. When a user deletes an email, it moves to the Deleted Items folder. When they empty Deleted Items (or the item is auto-purged after 30 days), it moves to the Recoverable Items folder, where it is retained for a further 14 days by default. Retention policies can extend this period significantly, but administrators must ensure that the Recoverable Items quota (30GB by default, 100GB with auto-expanding archive) is sufficient for the volume of retained content. Running out of Recoverable Items quota can cause retention policies to fail silently — a risk that many organisations only discover when they need to retrieve deleted content and find it is no longer available.
Common Mistakes to Avoid
The most common mistake is having no policy at all. "Keep everything forever" is not a policy — it is a liability. Under UK GDPR, retaining personal data longer than necessary is itself a compliance violation, regardless of whether a breach occurs. It also increases your risk exposure in litigation, where opposing parties can request disclosure of all relevant communications. The more email you retain, the more you may be required to disclose.
Retention Policy Mistakes
- No written policy — retention left to individual discretion
- "Keep everything forever" approach
- Deleting emails too aggressively without legal review
- Relying on users to manually classify and delete emails
- No litigation hold process for legal disputes
- Confusing Microsoft 365 retention with proper backup
Retention Policy Best Practices
- Written policy with documented rationale for each period
- Different retention periods for different email categories
- Legal review of retention periods annually
- Automated enforcement via Microsoft 365 retention policies
- Clear litigation hold procedure that overrides normal deletion
- Independent backup solution alongside retention policies
Another common mistake is failing to implement a litigation hold process. When legal proceedings are anticipated or commenced, you have a legal obligation to preserve all potentially relevant evidence — including email. If your automated retention policy deletes emails that are relevant to ongoing or anticipated litigation, this constitutes spoliation of evidence and can result in adverse inferences, costs penalties, or even contempt of court findings. Your retention policy must include a clear process for imposing litigation holds that override normal deletion schedules.
Employee Departure and Mailbox Handling
A frequently overlooked aspect of email retention is the handling of mailboxes when employees leave the organisation. When a user account is deleted in Microsoft 365, the associated mailbox enters a soft-deleted state for 30 days, after which it is permanently removed. If your retention policy requires that certain emails be kept for six or seven years, you must have a process to preserve the mailbox contents before the account is deleted. Options include converting the mailbox to a shared mailbox (which does not require a licence), placing the mailbox on litigation hold or retention hold before deleting the account, or exporting the mailbox contents to a PST file and archiving it securely.
The best practice for most UK businesses is to convert departing employees' mailboxes to shared mailboxes and apply the appropriate retention policies. This preserves the email data at no additional licensing cost, maintains the retention and eDiscovery capabilities of the compliance centre, and allows authorised colleagues to access the mailbox contents if needed for ongoing business operations. The shared mailbox should be reviewed periodically and deleted once all applicable retention periods have expired.
Monitoring and Auditing Compliance
Implementing retention policies is not a set-and-forget exercise. Regular monitoring and auditing are essential to ensure that policies are being applied correctly and that no gaps have emerged. Microsoft 365 provides several tools for this purpose: the Content explorer in Purview shows how content is classified across the organisation, Activity explorer tracks label application and content deletion events, and Disposition review provides oversight of content that is due for deletion. Schedule quarterly reviews of your retention policy effectiveness, and conduct an annual audit that verifies retention periods against current legal requirements, confirms that all mailboxes are covered by the appropriate policies, and tests the ability to retrieve archived content within acceptable timeframes.
Practical Steps to Get Started
If your business does not currently have an email retention policy, here is a practical approach to implementing one. First, conduct an audit of your current email environment. How much email data do you have? How far back does it go? Are there any existing retention or deletion rules in place? What regulatory requirements apply to your business?
Second, develop your policy framework. Identify the categories of email your business handles, determine the appropriate retention period for each based on the legal and regulatory guidance outlined above, and document the rationale. Have the policy reviewed by your legal adviser to ensure it meets your specific obligations.
Training and Embedding the Policy
The most technically sophisticated retention policy will fail if employees do not understand or follow it. Staff training should cover not only the mechanics of the policy — what is retained, for how long, and what is deleted — but also the underlying rationale. When employees understand that email retention is driven by legal obligations and genuine business risk, they are far more likely to cooperate with the policy and report issues when they arise. Training should be delivered during induction for new starters and refreshed annually as part of your wider information security awareness programme.
Consider appointing data stewards within each department — individuals who serve as the first point of contact for retention queries and who help ensure that the policy is applied consistently within their team. Data stewards do not need to be technical experts; they simply need to understand the classification scheme and know when to escalate unusual situations. This distributed approach to policy enforcement is far more effective than relying solely on centralised IT controls, particularly in organisations where the nature of email content varies significantly between departments.
Cost Implications and Budget Planning
Implementing a proper email retention policy has cost implications that should be factored into your IT budget. Microsoft 365 retention and compliance features are included in Business Premium, E3, and E5 licences, but businesses on lower-tier plans may need to upgrade or purchase add-on licences for the compliance centre features. Archive mailboxes, which provide additional storage for older emails that are still within their retention period, are included in E3 and above but require an Exchange Online Archiving add-on for lower plans. Third-party backup solutions typically cost between £2 and £5 per user per month, representing a modest investment against the potential cost of non-compliance or data loss.
When budgeting, also consider the cost of legal review (most solicitors charge between £200 and £500 for an initial retention policy review), staff training time, and the ongoing administrative overhead of monitoring and auditing the policy. For a typical 50-person UK business, the total annual cost of maintaining a compliant email retention framework — including software, backup, legal review, and staff time — is likely to fall between £5,000 and £15,000. This represents a small fraction of the potential fines, legal costs, and operational disruption that can result from inadequate email retention practices.
Third, implement the technical controls. Configure Microsoft 365 retention policies to enforce your policy automatically. Set up retention labels for categories that require different treatment. Deploy a backup solution to protect against data loss. Test the system to ensure retention and deletion work as expected.
Fourth, communicate the policy to all staff. Explain why the policy exists, what it means for their day-to-day email usage, and what they need to do (which, if you have implemented automated controls properly, should be very little). Include the policy in your staff handbook and cover it in security awareness training.
Finally, review the policy annually. Legal requirements change, your business evolves, and new regulations may introduce additional obligations. An annual review ensures your policy remains fit for purpose and demonstrates ongoing compliance to regulators.
Need Help with Email Retention?
Cloudswitched helps UK businesses implement compliant email retention policies using Microsoft 365 Purview, backed by enterprise-grade email backup. We handle the technical configuration so you can focus on your business.
GET IN TOUCH
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
