By Paul Ravey, Sales Manager, Access Records Management
The introduction of the EU General Data Protection (GDPR) has seen no shortage of panic among the business community. Overstated though it may be, this panic is understandable: when wide-ranging regulations are introduced, small business owners rarely link arms and dance in the street.
Certainly, when you look at GDPR, it does have some significant implications for SMEs, applying to any entity processing the personally identifiable information (PII) of any EU citizen in any country. But the aim here is to protect this information, and to ensure that data is handled, stored, used, and destroyed properly. In this respect, it’s not too dissimilar from existing protection regulations.
Certainly, the data retention laws already in place in the UK are no less important than the GDPR: The Data Protection Act 1998, for example, holds that personal records should not be held onto for longer than the business strictly needs to, and this is understandable: no business benefits from keeping records it doesn’t need, and nor should it lose or destroy records that it does need. This principle will be further enshrined within the GDPR – and it will come with new penalties for non-compliance – but it is a nonetheless longstanding one.
Risks of non-compliance
Data retention laws apply to the information you have on customers, employees, suppliers, and anyone else that is associated with your business. Failing to manage them adequately will have a negative effect on your reputation, your finances, and your operational efficiency. The more unnecessary information you keep, the more difficult it becomes to find the records you do need – and the more space you waste. The more necessary information you destroy or lose, the more likely you are to face legal penalties.
So, while GDPR may be a priority, if you’ve only just started running your small business, there are a number of regulations you’ll already need to know about and comply with. In the absence of outsourced records management or a dedicated manager, it’s hard to know which retention periods apply to which records. These record types aren’t the only ones you’ll need to acquaint yourself with, but they’re some of the most important.
Health and safety records
Let’s start with an obvious one: should a workplace accident, injury, or other health and safety issue occur – and should an assessment or consultation with a safety representative emerge from them – it will be necessary to keep a record of it permanently. Medical records specified by the Control of Substances Hazardous to Health Regulations, for example, must be kept for up to 40 years. This is not only a legal necessity, it’s good sense: health and safety claims can be made at any time.
Wage, salary, and employment records
Again, you’ll likely be retaining these anyway, but under the Taxes Management Act, you’ll need to retain them for six years. The Income Tax (Employments) Regulation also makes it imperative to hold on to all income tax documentation for no less than three years after the relevant financial year. This doesn’t just relate to wage and salary records: you’ll have to keep scrupulous documentation of any overtime, bonuses, and expenses. This protects the business in the event of a tax issue or a claim of underpayment.
Keeping scrupulous records of company accounting documents should be standard practice: without them, you don’t really know how your business is financially managing. There are also statutory retention periods, per Section 221 of the Companies Act 1985 (as modified by the Companies Acts 1989 and 2006). If you’re running a private company, you’ll need to keep these documents for three years (six for public limited companies, if anyone’s planning an IPO for the future!).
Non-statutory retention periods – or, how to navigate grey areas
Sometimes you’ll run into a situation where there isn’t any legal clarity on the length of a document’s retention period – leaving it up to you to decide how long to keep it and when to destroy it. It’s recommended, for example, that pensions records are kept for twelve years from the end of any benefit payable under your company’s particular scheme, though this is non-statutory.
Different businesses have different processes for this, and employers need to think about what might be appropriate. Using your judgment and experience and consulting with your peers can help, as can considering the time limits of potential tribunal or civil claims. As a general rule, though, when in doubt, keep it for six years (or five, if your business operates in Scotland) to cover the time limit necessary for bringing any civil legal action.
Here, and elsewhere, ‘better safe than sorry’ is a good principle to follow. Knowing how long to hold onto records can sometimes be difficult, but it’s always worthwhile to ensure they’re managed, retained, stored, and processed properly. In many cases, it’s the law, but it’s also just good business sense.