May 2018 will see the introduction of the EU General Data Protection Regulation – a comprehensive legislative endeavour that applies to any business processing the information of any EU citizen in any country. It’s being written about at high volume and in great detail, and for good reason.
Less well-documented, but no less important, are existing data protection and retention regulations: all of which apply to small businesses, and all of which carry severe penalties for noncompliance. It’s essential to process, store, and handle information safely and compliantly: keeping records that you don’t need and destroying records that you do need can have operational and legal consequences.
But if you haven’t been running a business for very long, it can be hard to know exactly how to comply – or what you’re required to comply with. Run afoul of certain data protection laws, and you can face severe fines.
Here are four key regulations to keep in mind.
Let’s start with some of the records you’re almost certainly already keeping. Business records such as supplier and client contracts are usually retained by companies, for the sake of self-preservation if nothing else – in the event of a disagreement or dispute, they’re handy things to have, and they can also be effective templates for future agreements.
But they come with clear rules around how they should be stored and processed. Section 5 of the Limitation Act 1980 outlines these in detail: all contracts, business agreements, and other relevant documents should be kept for a period of six years (excluding the length of the contract) before destruction.
As all VAT records are submitted digitally these days, it’s easy to think you don’t have any obligations when it comes to the storage and retention of your returns. This is misguided.
Keeping VAT records is more important than ever, and, per Schedule 11, paragraph 6 of the VAT Act 1994, and HMRC Notice 700/21 October 2013, you have to keep them for at least six years from the moment of creation. Store these records digitally, as well as in a safe physical location, and you’ll be fully compliant.
The introduction of auto-enrolment has made it more important than ever to properly store, process, and dispose of your pension data.
It’s vital that your business can handle pension data – and to get rid of it when necessary. The Registered Pension Scheme (Provision of Information) Regulations 2006 mandates that these records must be stored for at least six years. With all auto enrolment staging deadlines now passed, it’s more important than ever to develop a comprehensive system for storing, retrieving, and destroying this data.
Workplace injury reports
Okay, okay, you’re working in a typical office environment, and dramatic injuries are unlikely.
And yet, workplace accidents do happen, and when they do, it’s important to keep a record of it – per Regulation 12 of the Reporting of Injuries, Diseases, and Dangerous Occurrences Regulations 2013. This law means that records relating to these occurrences must be stored for a minimum of three years, and a maximum that varies according to personal data laws.
For injuries caused by hazardous substances (hey, it happens), records must be stored for 40 years from the date of entry.
Developing a comprehensive data retention strategy
On their own, these regulations aren’t that interesting – but cumulatively, they represent a serious operational barrier for small businesses.
A comprehensive data retention strategy must account for every law, and everyone who might conceivably come into contact with certain records. That means educating your team: your CEO might not know much about information security policy because their attentions are often divided, and your junior employees won’t know because they haven’t the experience or expertise to understand best practice. They and everyone in between them should ideally receive the appropriate training.
But beyond education, it’s necessary to make some key strategic decisions about how you process and archive data. You need to know which documents to keep and destroy at which times. It’s possible to manage this in-house using a combination of physical and digital storage, but this will require you to sacrifice office space and employee time. You’ll also need to develop a system to determine who can and cannot access these records. Outsourcing records storage may be a better option if you can find the right provider.
Regardless of how you choose to implement your data retention strategy, it’s vital that you do. Information security isn’t always fun, and it’s never, ever glamorous – but it is absolutely necessary, and full compliance will only be an advantage for your business.