
The EU General Data Protection Regulation (GDPR) may be the most significant shake up in privacy legislation for over 20 years, but prioritising data protection isn’t new.
There are already a significant handful of other laws that pertain to data protection – as well as retention, which is too often overlooked. In the rush to be GDPR ready, it’s important to ensure that these laws are not neglected. In the same way that there will now be serious consequences for collecting and storing new information in a non-compliant manner, there are equally dire consequences for failing to retain information that must be held onto for legal purposes.
Adhering to data retention laws can be particularly problematic when you haven’t been running a business for very long and aren’t yet aware of the full extent of your obligations. Here are just a few of the most significant regulations that you need to know.
Business agreements
There is a significant legal obligation to keep contracts and agreements. Section 5 of the Limitation Act 1980 outlines a clear policy for the storage of business agreements, contracts, and other documents: they must be kept for a period of six years – not including the length of the contract.
You are most likely already keeping these types of contracts on hand for operational reasons – in case either one of you dispute the terms of your arrangement, you can use them as a resource in your defence; when you’re drawing up comparable agreements, you can show them to prospects as an example of what kind of contract they can expect and use them as a template.
They’re useful records to keep around regardless of any legal obligations. Just make sure you’re retaining them for the right amount of time.
VAT records
A VAT return is completed digitally, so people often fill out the online form and move on. In actual fact, you must keep sufficient VAT records in physical form for at least six years from the date of creation. If you don’t, you could be breaking the law. Ensuring that these documents are kept in a safe location or stored digitally must be an operational priority.
Workplace injury reports
Workplace injuries can occur even in small, office-based start-ups or SMEs. If and when they do, records need to be kept scrupulously for a minimum period of three years, The maximum period that these records need to be kept is determined by general personal data regulations.
If an employee suffers an injury related to a hazardous substance, you’ll need to store all records relating to their medical examination for a minimum of 40 years from the date of entry.
Pension documents
Guidelines state that information relevant to pension schemes must be held for at least six years. If you don’t have a plan for storing and retrieving this data in place, it’s worth establishing one in advance of your auto enrolment deadline.
Due to the UK government’s auto enrolment scheme, pension data is set to become much more complex. Having a system ready that stores and organises this data – and to destroy it when the time comes – is essential.
Understanding data retention laws
What these regulations share is the need for a serious, wide-ranging data retention policy: something that incorporates best practice in your processes at all levels of the business.
Your policy needs to outline exactly which documents you should keep and which you should destroy. Of those that should be destroyed, you will need to outline exactly when and how they should be destroyed.
If you are managing this process in-house rather than outsourcing to a third party, you will likely need physical storage for hard documents that cannot be destroyed or uploaded. This will mean sacrificing space that could be used elsewhere. Once you determine what your needs are, you can allocate this space accordingly – ensure that it’s available to those who require access and have the right credentials.
Despite the threat of penalties, these data retention laws do not have to be the enemy. Implementing retention policies will ultimately help your company by ensuring that it doesn’t lose documents that might be vital later.
If you focus on building a data retention policy that is flexible enough to adjust for revisions and amendments to legislation, your business will ultimately benefit.
This article was written and contributed by Paul Ravey, Sales Manager, Access Records Management
DISCLAIMER: This article should not be regarded as constituting legal advice in relation to particular circumstances. This article is merely a general comment on the relevant topic.