To ensure small businesses are prepared for new General Data Protection Regulation (GDPR) – due to be introduced in May 2018 – manager at document storage firm Access Records Management, Ian Henry, has identified six data retention policies owners frequently overlook.
Business optimism in the UK is at its highest in 15 months. As a result, companies may want to capitalise on this economic upswing and set growth strategies in motion.
At the same time, it’s important company owners review their current data retention policies to ensure compliance with the new GDPR.
The GDPR will come into force in May 2018. Regardless of the size of your business, your company will be required to understand, and apply, all the legislative updates to its data retention policy.
Failure to comply can have costly repercussions. The Information Commissioner’s Office (ICO), for example, can charge an organisation up to €20m, or up to four percent of their annual turnover, in the event of a major data breach.
Here are six data retention policies no small business owner can afford to overlook:
(1) Business contracts and arrangements
The Limitation Act 1980 (Section 5) states that all business contracts, agreements and other arrangements need to be safely stored for the length of the contract and for six years afterwards.
The Registered Pension Scheme (Provision of Information) Regulations 2006 (No. 18) demands that business data and documents concerning pension schemes require a minimum storage time of six years.
(3) Medical examinations
Regulation 10(5) of the Control of Substances Hazardous to Health Regulation 2002 stipulates that all work-related medical examinations related to hazardous substances must be stored for a minimum of 40 years, from the date of the last entry made in the record.
(4) Dangerous substances
If you are in the business of supplying chemicals and other ‘environmentally damaging’ products, you need to comply with Article 49 of the Regulation No 1272/2008/EC.
This legislation demands that all records pertaining to the classification, labelling, and packaging of these substances and mixtures are kept for a minimum of ten years from the date these products were last supplied.
(5) Workplace injuries
According to Regulation 12, of the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013, accident reports need to be retained for a minimum of three years. The maximum retention period is dependent upon general restrictions regarding personal data.
And finally, one that affects all of us! As your VAT return is completed online it’s easy to think that you don’t have to keep extensive records. But the VAT Act 1994 (Schedule 11, paragraph 6) and HMRC Notice 700/21 October 2013 beg to differ. In fact, you’re expected to keep these records for a minimum of six years from the date they were made.
It’s no good having a data retention policy just to tick a box. It needs to be taken seriously by everyone in your company, from senior management all the way down.
If your company chooses to manage its document storage in-house, make sure that the archival facilities are safe and secure, yet easily accessible by those with the correct clearance.
A good data retention policy states which documents to keep and how to store them safely, as well as when and how to destroy them. Document disposal is as important as retention.
Records management can be a minefield. New legislation aims to protect both companies and the consumer, but there are always new policies to get to grips with.
The sooner your company starts complying the better. This will help you avoid any expensive oversights and stay focused on building your business.
Ian Henry is records centre manager at document storage company Access Records Management.
Preparing for auto-enrolment: An expert’s top five tips
Sign up to our newsletter to get the latest from Business Advice.