The storage renewal arrives and the figure is roughly double what it was three years ago. You know the business has grown, but you also know a large portion of what is sitting on those servers is either duplicate, outdated, or a client file that nobody has opened since the engagement closed. You would like to start deleting. But you have heard about firms that removed the wrong thing and ended up scrambling during an audit, and you are not entirely sure where the legal lines sit.
That uncertainty is understandable. The answer, though, is not to keep everything. Indefinite retention carries its own risks: higher storage costs, cluttered search results, and the legal reality that under UK GDPR, keeping personal data longer than necessary is itself a compliance failure.
What does deleting old business files actually involve?
In many owner-managed firms, deletion is either a spring clean that happens when someone complains about storage costs, or a process that never happens at all. Neither approach is what the ICO expects. Under UK GDPR’s storage limitation principle, personal data must not be kept longer than necessary for the purpose it was collected. That covers live files, archived copies, cloud-synced versions, backup copies, and physical documents.
The ICO’s guidance for small organisations treats deletion as a lifecycle process, not a one-off event. Routine deletion cycles, with clear retention periods defined in advance, are what the regulator expects to see, not reactive clean-ups triggered by a full hard drive. For sensitive personal data, the ICO specifies that deletion should be secure: software that overwrites data multiple times, or a specialist IT service, rather than simply sending files to the recycle bin and emptying it.
The British Airways data breach in 2018 is the enforcement case that many SMEs should study. The ICO’s £20 million fine in 2020 highlighted, among other failings, poor data minimisation practices that expanded the impact of a cyber-attack on around 400,000 customers. Over-retention did not cause the breach, but it amplified it considerably.
Why do owner-managed firms keep more data than they should?
A 2022 Iron Mountain survey found that only 37 per cent of UK SMEs had a documented records retention schedule, and over half admitted keeping records because they were not sure what they could discard. The result is storage full of expired engagement files, superseded documents, and years of email threads that nobody reviews. That accumulation carries real costs: in storage bills, cyber-risk exposure, and search results cluttered with outdated material.
The absence of a retention schedule creates a default position: when in doubt, keep it. That instinct is understandable, but the consequences compound over time. Search becomes less reliable as results surface files from projects that finished three years ago. Legal disclosure requests become more expensive to respond to because relevant material is buried in irrelevant noise. Cyber-risk advisers and insurers increasingly treat unmanaged legacy data as a factor in assessing exposure.
The practical fix is a simple retention schedule: a list of record types, their minimum retention periods, and the trigger for deletion. It does not need to be a lengthy legal document. It needs to be a management decision, written down and followed consistently.
Where does the deletion challenge actually live in your business?
The deletion challenge spreads across more systems than many founders expect. Email, Teams conversations, SharePoint document libraries, personal OneDrive folders, Google Drive, on-premise file servers, backup copies, and physical documents can all hold personal data subject to the storage limitation rule. Each system needs its own deletion approach. Deleting from one location without covering the others creates gaps in compliance and often leaves dead links in search results.
For firms on Microsoft 365, the right tool is retention labels and policies in Microsoft Purview, not manual folder deletion. Purview lets you set per-record-type rules, such as deleting general correspondence seven years after last modification. Microsoft’s own documentation recommends piloting policies on a small group before broad rollout. For Google Workspace, Google Vault serves the same function: retention rules for Gmail, Drive, and Chat, with a search phase before any automatic purge activates.
On-premise file servers benefit from a scripted approach. Generate a list of candidate files, including paths, owners, size, and last-modified date, then send it to business owners for review. Delete only what has been approved. A dry run that lists without deleting is the safest starting point.
Physical files need their own thread. The ICO recommends certificated destruction for personal data held in paper form. UK providers such as Shred-it and Restore Datashred offer services specifically designed for small and regulated firms.
Backups are the area many firms overlook. Deleting a file from a live system does not remove it from backup copies. Configure backup retention periods so that deleted data eventually cycles out, and review those settings deliberately rather than leaving the system defaults in place.
When should you delete, and when should you hold off?
The answer turns on what type of record it is. HMRC expects business financial records to be kept for at least six years from the end of the relevant accounting period. Key employment records should typically be retained for six years after employment ends. FCA-regulated firms face retention requirements of three to seven years depending on record type. A retention schedule and a legal-hold check should precede any deletion run.
A legal hold is when an ongoing dispute, investigation, or regulatory audit requires that you preserve records that would otherwise be due for deletion. Before any deletion cycle, check whether the affected records touch an active matter. That check need not be complex, but it must be deliberate.
The recommended process for a five to fifty person firm is a four-step cycle: search and report without deleting, business-owner review over one to two weeks, archive anything borderline, then execute deletion using your configured tools and log what was removed. That log matters. The ICO expects accountability in data lifecycle decisions, and a brief deletion log noting what was removed, when, and under which policy provides the evidence if questions arise later.
One practical caveat: do not delete local copies of files unless you have confirmed that your backups are tested and geographically resilient. The OVHcloud data centre fire in March 2021 permanently destroyed data for thousands of European businesses because their backups were stored only in the same location as their live systems. Deletion is one step in a sequence, and backup integrity is the prerequisite for that step.
What sits alongside deletion in a healthy approach to file hygiene?
Deletion is one of three options on a retention schedule. The others are anonymisation, where identifying information is stripped from data you want to keep for analytical use, and controlled archiving to a separate location with restricted access. Anonymisation done correctly is irreversible and removes ongoing personal-data obligations. Archiving moves rarely-needed material out of daily search without the compliance gap that deletion addresses.
The distinction between archiving and the “OLD” folder matters considerably. Moving files to an OLD folder that remains fully indexed on your file server or SharePoint does not reduce risk or clear search clutter. True archiving means a separate location, restricted access, and explicit search exclusion. Records stored there should still be retrievable under a legal hold, but they should not appear in everyday results.
A data inventory is the foundation for any of this to work. Before you can set meaningful retention periods, you need to know what you hold, where it lives, and who is responsible for each area. For a firm with five to fifty staff, that inventory typically takes a day or two across the relevant system owners. A simple spreadsheet, by system and record type, is enough to start.
The ICO recommends annual reviews of retention practices, not because the schedule changes often, but because new systems appear, new data types emerge, and regulatory requirements shift. The retention schedule you write this month should have a review date written into it.
If you want to start this week: identify your three largest stores of old data, build a one-page retention schedule covering those stores, and configure one deletion or archiving rule in your primary platform using the built-in tools. A proportionate, documented approach beats an ambitious project that never launches.
