Corporate Retention Policy Template for England and Wales

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Corporate Retention Policy?

The Corporate Retention Policy serves as a crucial governance document that helps organizations manage their information assets effectively while ensuring compliance with UK legal requirements. It establishes clear guidelines for how long different types of records should be kept, methods for secure disposal, and procedures for legal holds. This policy is essential for maintaining compliance with data protection laws, tax regulations, and industry-specific requirements while managing organizational risk and operational efficiency. The policy must align with English and Welsh law, including UK GDPR, Companies Act 2006, and various regulatory frameworks.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Corporate Retention Policy

A Corporate Retention Policy is a critical governance document that establishes how your organization manages, retains, and disposes of records and information assets. Under England and Wales law, this policy ensures your business complies with multiple regulatory requirements while protecting against legal risks and maintaining operational efficiency. The policy creates a structured framework for handling everything from employee records to financial documents, ensuring you meet statutory obligations while avoiding unnecessary storage costs and data protection breaches.

When do you need this document?

You need a Corporate Retention Policy when establishing formal information governance procedures, particularly if your organization processes personal data, maintains employee records, or operates under specific regulatory requirements. This becomes essential during business audits, regulatory inspections, or when facing legal proceedings where document retention practices may be scrutinized. Organizations typically implement this policy when scaling operations, following data protection incidents, or when updating governance frameworks to meet evolving compliance requirements. The policy is also crucial during mergers and acquisitions, where clear retention practices help manage due diligence processes and regulatory approvals.

Key legal considerations

Your retention policy must balance competing legal requirements, including data minimization principles under UK GDPR against statutory retention obligations for specific record types. Key considerations include establishing lawful bases for processing and retaining personal data, implementing appropriate technical and organizational measures for secure storage, and ensuring timely disposal when retention periods expire. The policy must address legal hold procedures that suspend normal disposal schedules during litigation or regulatory investigations. You should also consider cross-border data transfer implications if your organization operates internationally, ensuring retention practices comply with both UK and overseas requirements. Regular policy reviews are essential to adapt to changing regulations and business needs.

Legal requirements in England and Wales

Under England and Wales law, your retention policy must comply with UK GDPR and Data Protection Act 2018, which require personal data to be kept no longer than necessary for specified purposes. The Companies Act 2006 mandates specific retention periods for corporate records, including three years for accounting records and ten years for statutory registers. Employment records must be retained according to Employment Rights Act 1996 requirements, typically including contract terms, payroll records, and working time documentation for specified periods. Tax-related documents must be kept for at least six years under Taxes Management Act 1970 provisions. Industry-specific regulations may impose additional requirements, such as Financial Conduct Authority rules for financial services firms or Care Quality Commission standards for healthcare providers, requiring tailored retention schedules that exceed general statutory minimums.

GOVERNING LAW

Applicable law

This Corporate Retention Policy is drafted to comply with England and Wales law. Key legislation includes:

UK GDPR and Data Protection Act 2018: Core data protection legislation that governs how personal data must be processed, stored, and retained. Sets principles for data minimization and storage limitation.

Privacy and Electronic Communications Regulations (PECR): Specific rules for electronic communications, marketing, and cookies that impact data retention requirements for digital communications.

Employment Rights Act 1996: Defines requirements for keeping employment records, including contracts, pay records, and working hours documentation.

Companies Act 2006: Specifies statutory requirements for maintaining corporate records, including financial statements, board minutes, and shareholder information.

Taxes Management Act 1970: Mandates retention periods for tax-related documents and financial records required by HMRC.

Limitation Act 1980: Sets time limits for legal claims, influencing how long organizations should retain documents for potential litigation purposes.

Companies (Records) Regulations 2008: Specific requirements for company record-keeping, including format and duration of storage for corporate documents.

Financial Services and Markets Act 2000: Regulatory framework for financial services firms, including specific record-keeping requirements for regulated entities.

Health and Safety at Work Act 1974: Requirements for maintaining health and safety records, risk assessments, and incident reports.

Environmental Protection Act 1990: Mandates retention of environmental compliance records and waste management documentation.

Electronic Communications Act 2000: Legal framework for electronic communications and digital records, including requirements for electronic signature retention.

Value Added Tax Act 1994: Specifies retention periods for VAT records and related financial documentation.

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it