Is there a single retention period for meeting recordings under UK law?

No. UK GDPR's storage limitation principle says personal data should be kept no longer than necessary for the purpose it was collected. The right retention period comes from the purpose of the recording, the regulator that applies, and the documents the recording supports. There is no universal number.

What is the most common range we see in retention schedules?

For internal meetings without a regulatory dimension, 12-24 months is typical. For client meetings in regulated work, the period is usually tied to matter life plus a defined retention (often six years). For HR matters, the retention follows the employee record schedule. For clinical consultations, the regulator's guidance governs.

Do I need to keep the recording, or just the document produced from it?

It depends what the documentation is for. If the document is the official record (minutes, attendance note, file note), the recording can often be deleted earlier than the document. If the recording itself is evidence (a witness statement, a regulatory call), it stays for as long as the evidence is needed. Be explicit in the retention schedule about whether the recording, the transcript and the document have the same retention period or different ones.

Does keeping a recording on the user's own laptop change the answer?

It changes who has to track the retention but not the principle. If a recording lives only on a fee-earner's laptop, the retention schedule still applies to the file in the workspace. The IT process the organisation already uses for end-of-period file deletion needs to know about the workspace location.

What happens to the retention obligation when an employee leaves?

The recording, transcript and document are personal data of the people on them, not just the employee who held them. When the employee leaves, the data does not automatically reach the end of its retention period. The organisation has to take possession of the workspace (through the normal device collection process) and continue to apply the retention schedule until the data is deleted in line with the schedule.

How long should you keep meeting recordings under UK law

Recording a meeting creates personal data of every person whose voice is on the recording. Under UK GDPR’s storage limitation principle, that personal data should be kept “no longer than necessary” for the purpose it was collected. There is no single number for “no longer than necessary”; it varies by purpose, by regulator and by the documents the recording supports.

This piece is for compliance leads, HR managers, legal teams and anyone tasked with writing or reviewing a retention schedule. It is a working framework, not legal advice. The aim is to give you the structure to defend a particular retention period, not to tell you what the period should be.

The principle

UK GDPR Article 5(1)(e) is the relevant text. Personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. The Information Commissioner’s guidance puts retention into three categories: data kept “while needed”, data kept “for a defined period”, and data kept “for an indefinite period justified by a specific reason”. Most meeting recordings sit in the second category.

The “defined period” is what the organisation has to set. The basis for that period is what this article is about. There are four factors that determine it.

The purpose of the recording. Why does the recording exist? Answers vary widely. To produce an accurate set of minutes; to support a witness statement; to feed a transcription pipeline that produces the official document; to provide a backup record in case the live note-taker missed something; to allow a meeting to be reviewed by someone who could not attend.

The regulator that applies. Different regulators have different views. The SRA expects solicitors to retain matter files for at least six years after closure (longer in some matter types). The FCA has its own retention obligations on recorded calls in regulated activities (specifically MiFID II conversations). The Charity Commission expects trustee minutes to be retained as a permanent record. The GMC and the Health and Care Professions Council have their own guidance for clinical records.

The supporting document’s life. If the recording supports a document that has its own retention (the file note, the minutes, the SAR response), the recording’s retention is normally tied to that document’s. The recording can outlive the document if the recording is itself evidence; the recording can be deleted before the document if the document is the record and the recording is just working material.

The data subjects’ rights. People whose voices are on the recording can request access, rectification or deletion of the data. The retention schedule must allow these rights to be exercised within the timeframe the regulation requires.

A practical retention schedule pattern

Most retention schedules for meeting recordings end up with a structure like this:

Meeting type	Recording retention	Transcript retention	Document retention
Internal management meeting	12 months	12 months	24 months
Client meeting (regulated work)	matter life	matter life	matter life + 6 years (SRA-style)
HR investigation interview	case life + 12 months	case life + 12 months	case life + 6 years
Disciplinary or grievance hearing	case life + 12 months	case life + 12 months	employee record retention
Clinical consultation	per regulator	per regulator	per regulator (often 8 years for adults)
Trustee meeting (charity)	12 months	12 months	permanent (Charity Commission)

The numbers in this table are not law. They are common patterns. Each row needs to be defended by the organisation against its own purpose, regulator and policy. Write the defence into the retention schedule alongside the period; if a regulator or a tribunal asks “why this period”, the answer should be in writing already.

The wider data-protection framework that sits behind the retention question is in meeting recording and UK GDPR, which works through the controller-processor analysis, lawful basis and DPIA scope.

Practical operational questions

A retention schedule on paper is one thing. Making it actually happen is another. Three practical points.

Who deletes what, and when? The schedule says recordings of type X are deleted at month N. Someone has to actually delete them. For a tool that runs on the user’s own laptop, the deletion is usually done by the user (or by an IT job that runs on the workspace). For a tool that keeps copies in a vendor’s cloud, the deletion has to be done in both places, and the vendor’s deletion process is part of the schedule. The vendor’s standard data-processing addendum will set out the deletion timeline; check it against the schedule.

Backups. Retention applies to backups too. A recording that is “deleted” from the live workspace but is still in a daily backup is still personal data. The schedule has to address the backup tier explicitly. Most organisations cap backup retention at a defined period (90 days, 12 months) and consider that acceptable as long as it is documented.

Subject Access Requests during the retention window. Anyone whose voice is on the recording can request the data while it is still being held. The SAR process has to know the recording exists and where it is. A workspace folder name is a useful indicator; “audit/recordings/2026-Q2” tells the SAR officer where to look.

For organisations that hold recordings on a vendor’s server, every SAR has to ask the vendor as well. For organisations that hold recordings only on user machines, the SAR only has to look in one place.

Where Whistle Enterprise sits in the schedule

Whistle Enterprise keeps the recording, the transcript and the generated document in a local workspace on the user’s computer. The workspace can be set to a local drive or a network drive, and the contents can be encrypted with a password.

For retention purposes this means:

The retention schedule applies to files in known locations on known machines.
Deletion is a normal IT operation: scripts that walk the workspace and remove files past their retention date, audit logs of what was deleted, the same lifecycle as any other file.
There is no vendor copy to chase. The SAR response and the deletion process both look in one place.
Backups follow the organisation’s normal backup policy for the device.

This is the smallest possible footprint a retention schedule has to cover for meeting documentation, and it is most of the reason organisations with serious retention obligations choose a tool of this kind.

If the question is the wider buying decision, on-premise alternatives to cloud meeting tools covers it. The free 30 day trial is the way to test how the workspace fits your existing IT and retention regime, before deciding whether the trade is right for the work.

Common questions

Is there a single retention period for meeting recordings under UK law?: No. UK GDPR's storage limitation principle says personal data should be kept no longer than necessary for the purpose it was collected. The right retention period comes from the purpose of the recording, the regulator that applies, and the documents the recording supports. There is no universal number.
What is the most common range we see in retention schedules?: For internal meetings without a regulatory dimension, 12-24 months is typical. For client meetings in regulated work, the period is usually tied to matter life plus a defined retention (often six years). For HR matters, the retention follows the employee record schedule. For clinical consultations, the regulator's guidance governs.
Do I need to keep the recording, or just the document produced from it?: It depends what the documentation is for. If the document is the official record (minutes, attendance note, file note), the recording can often be deleted earlier than the document. If the recording itself is evidence (a witness statement, a regulatory call), it stays for as long as the evidence is needed. Be explicit in the retention schedule about whether the recording, the transcript and the document have the same retention period or different ones.
Does keeping a recording on the user's own laptop change the answer?: It changes who has to track the retention but not the principle. If a recording lives only on a fee-earner's laptop, the retention schedule still applies to the file in the workspace. The IT process the organisation already uses for end-of-period file deletion needs to know about the workspace location.
What happens to the retention obligation when an employee leaves?: The recording, transcript and document are personal data of the people on them, not just the employee who held them. When the employee leaves, the data does not automatically reach the end of its retention period. The organisation has to take possession of the workspace (through the normal device collection process) and continue to apply the retention schedule until the data is deleted in line with the schedule.

For procurement, finance, IT directors, ops teams, anyone responsible for tool TCO

What you stop paying when the meeting tool runs locally

Cloud meeting tools come with subscriptions, usage limits, outages and quiet vendor lock-in. A local tool removes all four. Here is what that means in practice.
For client-facing roles, advisors, solicitors, accountants, consultants

Should you record meetings with clients

When recording a client meeting helps the work and when it gets in the way. The professional, ethical and legal questions, plus a working position for advisors.
For HR managers, employment law, people teams, in-house counsel

Whistle Enterprise for HR and people teams

Why HR investigations, grievance hearings and disciplinary meetings call for documentation that never leaves the HR machine, and what Whistle Enterprise produces for the file.

Back to all articles