HR 2 February 2017

Data retention: The six regulations business owners must remember

New data retention rules for small firms are due in May 2018
To ensure small businesses are prepared for new General Data Protection Regulation (GDPR) due to be introduced in May 2018 manager at document storage firm Access Records Management, Ian Henry, has identified six data retention policies owners frequently overlook.

Business optimism in the UK is at its highest in 15 months. As a result, companies may want to capitalise on this economic upswing and set growth strategies in motion.

At the same time, it’s important company owners review their current data retention policies to ensure compliance with the new GDPR.

The GDPR will come into force in May 2018. Regardless of the size of your business, your company will be required to understand, and apply, all the legislative updates to its data retention policy.

Failure to comply can have costly repercussions. The Information Commissioner’s Office (ICO), for example, can charge an organisation up to 20m, or up to four percent of their annual turnover, in the event of a major data breach.

In addition to the GDPR, company owners also need to be aware of their commitments in regards to legislation such as the Financial Services Act 1986, the VAT Act 1994 and the FOI Act 2000.

Here are six data retention policies no small business owner can afford to overlook:

(1) Business contracts and arrangements

The Limitation Act 1980 (Section 5) states that all business contracts, agreements and other arrangements need to be safely stored for the length of the contract and for six years afterwards.

(2) Pensions

The Registered Pension Scheme (Provision of Information) Regulations 2006 (No. 18) demands that business data and documents concerning pension schemes require a minimum storage time of six years.

(3)?Medical examinations

Regulation 10(5) of the Control of Substances Hazardous to Health Regulation 2002 stipulates that all work-related medical examinations related to hazardous substances must be stored for a minimum of 40 years, from the date of the last entry made in the record.

(4) Dangerous substances

If you are in the business of supplying chemicals and other environmentally damaging? products, you need to comply with Article 49 of the Regulation No 1272/2008/EC.

This legislation demands that all records pertaining to the classification, labelling, and packaging of these substances and mixtures are kept for a minimum of ten years from the date these products were last supplied.

(5) Workplace injuries

According to Regulation 12, of the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013, accident reports need to be retained for a minimum of three years. The maximum retention period is dependent upon general restrictions regarding personal data.

(6) VAT