You shouldn't panic about pending GDPR data protection rules, but you should be sure to cover the basics.
Share this article
The EU General Data Protection Regulation (GDPR) will come into effect in May 2018. Because it applies to any company handling the data of any EU citizen, it won’t matter whether you’re based within the bloc or not: your company will have to take the substance of the law and its various revisions and updates into account whenever it processes this information, and failure to do so can have serious consequences.
The Information Commissioner’s Office is empowered to levy fines of €20m, or up to four percent of your company’s annual turnover.
But for all the hubbub and panic around GDPR, data protection isn’t a particularly new concern. It’s always been important to ensure that any information that you process and store is handled in a safe and compliant fashion.
In the rush to become GDPR compliant, it’s important to ensure that other relevant legislation is not neglected – particularly that which pertains to data retention. Failing to retain information that must be held onto for legal purposes can wreak consequences not dissimilar to those organisations can experience as a result of collecting and storing new information illegally.
Data retention can prove especially problematic if you haven’t been running a business for very long and aren’t yet aware of the full extent of your obligations. Here are just a few regulations you’ll need to get to grips with.
Since a VAT return is completed digitally, it’s alarmingly common to simply complete the online form and move on – never thinking about it again.
But that it’s common doesn’t mean it isn’t mistaken. If you don’t keep sufficient VAT records for at least six years from the date of creation, you could well be in breach of the VAT Act 1994 (Schedule 11, paragraph 6) and HMRC Notice 700/21 October 2013. Ensuring that these documents are kept in a safe location or stored digitally should be an operational priority.
You are most likely already keeping contracts between suppliers and clients on hand for operational reasons. If they dispute the terms of your arrangement, you can use them as a resource in your defence; when you’re drawing up comparable agreements, you can use them as a template.
You may even be able to present them, or records like them, to prospects as an example of what kind of contract they can expect. They’re useful records to keep around regardless of any legal obligations.
That said, there is a clear and unambiguous legal obligation. Section 5 of the Limitation Act 1980 outlines a clear policy for the storage of business agreements, contracts, and other documents: they must be kept for a period of six years – not including the length of the contract.
Again, you’re already likely retaining these documents. Just make sure you’re retaining them for the right amount of time.
Owing to the UK government’s auto enrolment scheme, pension data should increase in quantity and complexity over the next fear years. Having a system in place to store and organise this data – and to destroy it when the time comes – is essential.
As for how long you have to store it for, the Registered Pension Scheme (Provision of Information) Regulations 2006 indicates that information a business holds relating to pension schemes has to be held for at least six years. If you don’t have a plan for storing and retrieving this data in place, it’s worth establishing one in advance of your auto enrolment deadline.
Workplace injury reports
Workplace injuries occur everywhere – even in the relatively sedentary surroundings of start-up or SME. When they do, records need to be kept scrupulously per Regulation 12 of the Reporting of Injuries, Diseases, and Dangerous Occurrences Regulations 2013. These records need to be stored for a minimum period of three years, and a maximum period that is determined by general personal data regulations.
In the unlikely event that an employee has suffered an injury related to a hazardous substance – maybe you’re running a biotech company, or a member of the janitorial staff has got methylated spirits in their eyes – you’ll need to store all records relating to their medical examination for a minimum of 40 years from the date of entry.
Understanding data retention
These regulations are not in and of themselves that interesting. What they do demonstrate is the need for a serious, wide-ranging data retention policy: something that inculcates best practice in your processes – from junior to boardroom level.
That means making some key decisions. Your policy should be crafted to determine which documents you should keep, which should be destroyed, and when and how they should be destroyed. If your company chooses to manage its records in-house rather than outsourcing to a third party, it will likely need to blend physical storage – for hard documents that cannot be destroyed or uploaded – with digital solutions.
That’ll necessarily involve designating an area for secure archiving, which will also involve sacrificing space that could be used elsewhere. Determine what your needs might be and allocate this space accordingly – ensuring that it’s available to those who require access and have the right credentials.
Legislation is often inconvenient, but despite the threat of draconian penalties, it’s not the enemy. Implementing a new retention policy will profit your company by ensuring that it doesn’t lose vital documents.
If you focus on strict compliance and building a data retention policy that can adjust to revisions and amendments to this legislation, you and your business will ultimately benefit.