How to Store Business Documents: Guidance & Regulations

Key takeaways

• Keep accounting records six years after year end. Private companies: three is the legal minimum, six satisfies HMRC.
• Apply UK GDPR storage limitation: keep only as long as needed, then delete securely.
• Digitise to BS 10008: validated scans, metadata, audit trails.
• Use ISO 27001 controls: MFA, encrypt at rest/in transit, 3-2-1 backups.
• Store physical archives: label and index; keep in a clean, dry, fire-rated space or a secure unit at HOLD Self Storage.

Why document storage matters

Handled well, document storage protects you from penalties, lost time, and messy disputes. Auditors and regulators expect clear accounting records, tax documents, and other relevant documents that support the company tax return.

If you cannot produce what is asked for, checks can run longer and cost more. HMRC’s baseline is six years for most records from the end of the financial year, with longer in defined situations.

HOLD tailored document storage keeps physical files controlled while digital systems do the heavy lifting. Use secure document storage for important business documents so a limited company can stay organised, save time, and cut data loss risk while meeting data protection duties for confidential information.

What you must legally keep and for how long

Start with the essentials and make the scope unambiguous:

• Accounts and invoices
• VAT records and delivery notes
• Payroll, sales books, petty cash books
• Bank statements and money received summaries
• Contracts, shareholder votes, resolutions promises
• Stock figure, owed stock, assets owned

Ensure your asset register clearly shows what the company owns and the acquisition dates for each item. Make sure your retention schedule explicitly includes records for financial and accounting records and other important documents that HMRC may request without notice.

Retain the evidence that underpins tax returns and the company tax return. The usual baseline is six years from the end of the last financial year, with extensions for late filings, compliance checks, long-term assets, or transactions that span more than one of the company's accounting periods.

Companies Act rules set minimums for accounting records. Private companies must keep accounting records for three years. Public companies must keep them for six. Many businesses use six years to satisfy HMRC and reduce risk.

If you handle trade documents for imports or exports, keep them for at least four years and confirm the procedure that applies to your movement.

Personal data needs a different lens. The storage limitation principle under UK GDPR says you keep personal data only as long as necessary, then erase or anonymise. Build this into your retention schedule and link each entry to purpose and lawful basis.

Digital storage done right

Put governance first. ISO 27001 gives you a framework for policies, risk treatment, access control, and ongoing improvement. Select Annex A controls according to risk and record how you monitor and audit them.

Then make the workflow clear and testable:

1. Scan to searchable PDF or PDF/A with metadata.
2. Enforce least-privilege access and MFA.
3. Encrypt data at rest and in transit.
4. Run 3-2-1 backups and quarterly restores.
5. Record document storage processes end to end.
6. Delete files on schedule and verify destruction.

Use cloud storage with encryption for confidential information so teams stay organised, save time during audits, and reduce data loss exposure under data protection rules. Create a user friendly runbook that includes records of each step so the process is followed consistently for important documents.

Where evidence might be needed, align capture and management with BS 10008 so digital copies carry weight in legal or regulatory contexts.

Physical storage done right

Set the ground rules, then make access effortless. Separate active files from archive, index everything clearly, and label boxes so anyone can find what they need fast.

• Triage and indexing: split active vs archive, use a simple filing schema, label each box with a unique code, date range, and owner, and keep a searchable index.
• Environment: keep archives dry, clean, and out of direct sunlight. Use sturdy sealed boxes and add desiccant where damp is a risk.
• Fire protection: use tested fire rated safes or cabinets and match the rating to the protection time you need for paper, typically 60 to 120 minutes.
• Security and custody: use lockable rooms, controlled keys, and CCTV where appropriate. Maintain chain of custody with sign in and sign out logs and regular audits.

If you want the results without the overhead, use HOLD’s archive storage to free office space, keep costs predictable, and give authorised staff easy access when they need it.

When comparing storage solutions, confirm pricing is transparent and free of hidden fees. Furthermore, set rules for who can access boxes that contain confidential information so that the limited company remains compliant.

When to keep originals vs digitise

Keep originals where law or enforceability requires wet signatures, deeds, titles, mortgages secured, guarantees, or paper-specific artefacts. Some contracts and company secretaries' records remain easier to enforce with the original.

When you digitise, validate capture and preserve metadata so the copy keeps evidential integrity. Align with BS 10008 and maintain a short buffer before shredding unless a rule requires the original.

Build a simple retention schedule

Create a table that maps each document type to purpose, lawful basis, retention, and disposal action. Set a six-year baseline for accounting records from the end of the financial year.

Note exceptions for late HMRC filings, open checks, assets expected to last more than six years, or transactions across multiple accounting periods. Pause deletion during disputes or investigations.

Make triggers explicit. Define the specific date that starts the clock for contracts, company loans, company debts, and assets owned. If the company owes or plans to repay loans, keep supporting evidence until obligations end, then apply the schedule.

Tie each entry to the company financial year and the review points that follow the company tax return. If the last company merger changed systems or reporting, update the schedule so it reflects how the company makes disclosures and where each record lives.

Practical examples: What to keep in scope

Keep the scope broad so nothing slips. Aim for clear, readable records that anyone on your team can follow.

• Money received summaries, bank statements, till rolls, invoices, credit notes, delivery notes, sales books, petty cash records, and contracts
• Shareholder votes, resolutions, and board minutes
• Year-end stock figure and any stock owed for retail operations
• Workings for the company tax return and other financial records
• Asset register showing the assets the company owns and the acquisition dates
• Company loans, debts, repayment agreements, and any mortgages secured on company property

This set keeps the right documents ready for HMRC and avoids delays caused by missing files. Tag mission-critical items as “important documents” so teams can find them fast.

Resources

• BS 10008 guidance on evidential weight and legal admissibility from the AI Standards Hub
• Fire safe ratings and paper protection times explained by Safe.co.uk.
• Backup strategy best practice, including 3-2-1 and restore testing, from the NCSC Small Business Guide:
• Secure destruction standards and procedures aligned to BS EN 15713, with implementation guidance from the British Security Industry Association.

Safeguard your documents with HOLD

Choose storage solutions that match your archive volume and your growth curve. HOLD provides climate-secure storage with scalable units sized for archive boxes, pallet racking, or rolling shelves. You get 24/7 access (upon request) and can purchase locks and packaging from our online Box shop.

Use tamper-evident seals, maintain an inventory per storage unit, and grant access to named staff only. HOLD does not offer climate control, so pack carefully and use protective materials where needed.

Book now and reserve your unit in minutes.

Note: HOLD does not offer climate control, so pack carefully and use protective materials where needed.

Frequently Asked Questions

What security measures does HOLD have for storage units?

HOLD has advanced security measures that protect for our customers' business assets. These include:

• 24-hour CCTV
• Burglar alarms
• Regular checks
• Personal pin codes
• Individually alarmed units
• Fire detection systems

These features not only provide peace of mind, but also protect your business assets from potential threats.

Can I store business documents with HOLD or use the unit for business tasks?

Yes, storing business documents and using the storage unit for tasks related to your business, such as packing orders or organising inventory, is permitted. However, direct business operations, such as sales or services involving customer visits, are not allowed within the unit.

How long should I keep VAT invoices?

Usually six years from issue, aligned to the records HMRC expects for company tax compliance.

Do I need to keep paper if I scan everything?

You can digitise many records. Preserve evidential integrity under BS 10008 and keep originals where law or enforceability requires. See AI Standards Hub guidance on BS 10008.

Is three years enough for a private company’s accounts?

Companies Act allows three years for private companies, yet HMRC often expects six from the end of the financial year. Many businesses keep six. See Companies Act section 388.

What standard should guide my security controls?

ISO 27001 for an ISMS with risk-based controls and continual improvement.

What fire rating should I look for on a safe?

Choose a rating that protects paper for the needed time, often 60 to 120 minutes, validated by recognised tests.

What are the legal requirements for storing business documents?

Keep clear, accurate records that someone else can understand. Store both company and tax records so they are readable and retrievable.

Protect personal data under UK GDPR, keep only what you need, and dispose of it securely. Control access, back up digital files, and keep paper in a dry, secure place. If your sector has extra rules, follow those too.

How long do you legally have to keep business documents in the UK?

• Company and tax records: plan for six years from the end of the financial year.
• VAT records: six years.
• Private companies by statute: at least three years for accounting records, but six covers HMRC.
• Self employed: five years after the 31 January filing deadline.