Written byHubSecure Editorial Team

Practical guides for secure client portals, RBAC, onboarding and regulated client operations.

Reviewed byHubSecure Security & Compliance Review

Reviewed for security positioning, workflow accuracy and implementation clarity.

Last updatedMay 7, 2026

Checked against the current HubSecure marketing site and product positioning.

When a client matter concludes, the compliance work is not over. Closing a file correctly requires you to: determine what must be retained and for how long, identify what must be deleted and when, archive the right materials in the right format, and document the closure in a way that will satisfy a regulator or data subject request years later.

This is not administrative housekeeping. The ICO and European DPAs have taken action against firms that retained personal data beyond its purpose — and equally against firms that destroyed records needed for an ongoing regulatory investigation. Getting the balance right requires a documented procedure.

Related HubSecure buying path

Document Collection & Vault guidesecure document collectionSecure Vault moduleDropbox comparisondocument collection software guideGuide Librarybook a workflow demo

Related security, privacy and governance resources

Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.

Related use case

This guide belongs to the Secure Document Collection Guides cluster. Continue with the product hub for secure document collection.

The GDPR Storage Limitation Principle

Article 5(1)(e) GDPR requires that personal data is "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." This is the storage limitation principle, and it applies to client files in its full force.

There is no single GDPR retention period — the correct period depends on your legal basis for processing and any sector-specific retention obligations that override the default. The key is to document your retention period for each data category and be able to justify it if challenged.

The tension you must manage

GDPR says: delete as soon as no longer necessary. AML law says: retain KYC records for 5 years after the end of the business relationship. Tax law may say 7 years. Limitation periods may require files to survive 6–12 years for professional negligence claims. The answer is not to choose one — it is to retain only what each legal basis requires, for only as long as each basis permits, with separate records for each category.

Retention Schedule by Data Category

Data category Minimum retention Legal basis Trigger
AML/KYC records (ID documents, UBO data) 5 years AMLD Article 40 / national AML law From end of business relationship
AML transaction monitoring records 5 years AMLD Article 40 From date of transaction
Legal matter files (solicitor) 6 years (England/Wales) Limitation Act 1980 + SRA guidance From conclusion of matter
Conveyancing / property files 12 years Limitation Act (deeds = 12yr) From completion of transaction
Financial advice records (MiFID II) 5 years (7 years if pension-related) MiFID II Article 16(7) From date of service
Insurance policy records 3–7 years depending on jurisdiction National insurance law From policy expiry
Healthcare patient records (EU) 10 years (adult); longer for minors National health law / GDPR Art.9 From last treatment
Accounting / financial records 7 years National tax law From financial year end
Contracts with clients 6 years Limitation Act / contract law From contract expiry
Email correspondence (regulated) Follow primary matter retention Linked to matter category above From matter close
Marketing consent records Duration of consent + 3 years proof GDPR Art.7(1) / ePrivacy From consent withdrawal or expiry
Whistleblowing reports 5 years Whistleblowing Directive (2019/1937) From date of report closure

The 8-Step File Closing Procedure

1

Confirm matter is concluded

The closing event — completion of transaction, final advice delivered, case concluded, relationship ended — must be recorded with a date. This date is the trigger for all subsequent retention calculations. Without a recorded close date, you cannot run a correct retention schedule.

2

Categorise all file contents by retention period

Separate the file into categories according to your retention schedule. A single client file may contain AML records (5yr), legal correspondence (6yr), signed contracts (6yr), and marketing consent records (3yr). Each category has its own deletion date — they do not all follow the longest period.

3

Return originals to the client

Original documents belonging to the client — deeds, certificates, original signed agreements — should be returned (or offered for return) on file closure. Confirm receipt. Your copies may then be retained for the applicable period.

4

Archive retained materials securely

Move retained materials to a secure archive with access restricted to authorised personnel only. For digital files, ensure the archive is encrypted, access-logged, and cannot be modified (for integrity). For physical files, locked, fire-resistant storage with an access log.

5

Set automatic deletion reminders

Log the deletion date for each file category in your system. Deletion must be scheduled — it will not happen otherwise. Most firms find that automated reminders (90 days before deletion is due) allow time for a final legal hold check before destruction.

6

Check for legal hold before deletion

Before any scheduled deletion, check whether a legal hold applies — litigation pending, regulatory investigation, subject access request covering the file, or a pending insurance claim. If a hold applies, pause deletion and document why. A legal hold does not extend the retention period indefinitely; it pauses it until the hold is lifted.

7

Securely delete and document

Deletion of digital records must be genuine erasure — overwriting, cryptographic erasure, or verified deletion — not just moving to trash. For physical records, cross-cut shredding or certified destruction. In both cases, create a destruction certificate: what was destroyed, when, by whom, and by what method.

8

Close the matter record — not the audit trail

The matter record in your CRM should be marked closed, with the retention schedule and deletion certificates attached. The audit trail of the matter existing — dates, parties, services provided — can be retained in a minimal form (no personal data beyond what is required) for as long as needed for business continuity, limitation period management, and professional indemnity purposes. This is distinct from retaining the substantive file.

GDPR Data Subject Rights and Closed Files

Closing a file does not extinguish a data subject's rights. A client can submit a Subject Access Request (SAR) for a matter that concluded 3 years ago. You must be able to locate the retained records, redact third-party personal data, and respond within 30 days.

They can also request erasure. Erasure requests from a client whose file is in the retention period can generally be refused if you have a legal obligation to retain the data (Article 17(3)(b)) — but you must tell them this, and tell them when deletion will occur.

Maintain a matter index even after file contents are deleted. The index should record: matter reference, client name, type of matter, close date, and retention end date. This allows you to respond to SARs and confirm deletion without re-opening the file itself.

HubSecure Vault

Automated retention and deletion scheduling

HubSecure's Vault module applies your retention schedule automatically — each document category gets its own deletion date, legal hold pauses run automatically, and destruction certificates are generated and stored. No spreadsheets, no missed deletion deadlines.

Book a demo → View Vault module