Forming an effective data retention policy is essential for every organisation – whatever its shape, size, or annual turnover.
In theory, it’s a simple matter of knowing what to keep and what to throw away; in practice, it involves balancing your business requirements against a complex web of rules and regulations.
What’s more, it poses real problems for established and new companies alike. If your business is buying another business, it’s not uncommon to find hundreds of boxes of documents in the basement, organised according to no particular filing system.
If you’re starting a new organisation, creating a viable policy should be a business priority – because if it isn’t sorted at the start, it will most assuredly cause problems in the future.
Whether you’re just starting out or looking to refine your existing policy, you should keep these key questions firmly in mind.
What regulations should your company know about?
A lot of best practice is based on guidelines rather than regulations, so protecting sensitive information is something of a minefield.
Behaviours that you assume to be perfectly acceptable may be unacceptable under a regulation that you didn’t know applied to your business, and in some cases, may not have even heard of.
>See also: Data removal policies leave businesses vulnerable
To protect your company’s most sensitive information, it’s essential to remain vigilant.
That means understanding the relevant legislation – be it the Data Protection Act 1998, the Financial Services Act 1986, or any other industry-specific law – and maintaining a studious awareness of the consequences.
For example, the Information Commissioner’s Office is (thanks to the introduction of the EU General Data Protection Regulation) now able to charge four percent of your organisation’s annual global turnover – or up to 20 million euros – if you fall victim to a major data breach.
Now, you’re unlikely to be charged €20 million, but the other penalties it’s able to dispense are still worth paying attention to.
HMRC, for example, can charge up to £3,000 if it finds that your business has destroyed key documents purposefully instead of retaining them. For a cashflow-sensitive business, this can be extremely damaging – but if you keep compliance firmly in mind, these penalties can be avoided.
What records does your business need to keep?
Naturally, the answer to this question also varies from company to company.
There are several provisions relating to general business and financial documents, all of which are found easily enough online or at the website of the National Archives.
What you really ought to look out for are the records that you don’t know need to be regulated: neglect or poor practice can come back to bite you.
Some items need to be kept for far longer than you might expect. If there’s been a medical examination at your workplace related to a hazardous substance, for example, Regulation 10(5) of the Control of Substances Hazardous to Health Regulation 2002 mandates that you must keep all documentation for a full forty years from the date of the last entry made in the record.
>See also: Why the UK government needs a better way to legislate technology
Suppliers of substances are also bound by data retention regulations: if their clients are buying chemicals or other ‘environmentally damaging’ products, Article 49 of the Regulation No 1272/2008/EC on classification, labelling, and packaging of substances and mixtures demands that records are kept for a minimum of ten years from the date these products were last supplied.
These are just two examples: there are many more pertaining to HR records, contracts, and VAT, amongst others. Knowing the legislation you must adhere to gives you a far greater chance of complying with it.
Should you digitise your company’s data?
The answer to this is usually “no”: from a regulatory perspective, you don’t need to digitise anything. You may have to submit VAT records online, but for your own purposes, you can keep hard copies.
Should you digitise your data from a business perspective? It’s a matter of personal preference, but physical storage is often cheaper (scanning documents can be an expensive undertaking), and it’s usually more secure.
Cyber attackers do so partially because it can be done from an armchair: stealing physical records usually involves equipment, effort, and luck. What’s more, for certain types of record, such as wills and deeds, you’ll need to keep the original hard copy anyway.
How do you develop your company’s retention policy?
If you’re storing your records in-house instead of at a dedicated records centre, this question becomes far more complicated. You have to create an entire filing and referencing system, you have to instruct your staff in data protection and compliance; you have to know which records must be kept, which records must be destroyed, and which records must be kept and then destroyed.
You also need to understand how to prevent fire and water damage.
>See also: Getting your records GDPR-ready: a six-step guide
If it sounds like a lot of work, it is.
Outsourcing it may be your best bet. But while the process will be challenging no matter what, it’s worth doing correctly.
An organised, intuitive data retention policy is an asset to your business: it makes vital records easily retrievable, it prevents the possibility of financial penalties, and it futureproofs your business against potential infractions.
Sourced by Ian Henry, records centre manager, Access Records Management