The General Data Protection Regulation (GDPR) has thrown many small businesses into some turmoil, but being organised about how you manage records, and how long you hold on to them, is anyway ‘just good business sense’.
So argues this useful piece over on SME.
It outlines a few key ‘record types’, and sets out how you should manage each of them – which may help.
Stop flapping, and anyway be sensible, seems to be the overall advice.
‘The introduction of the EU General Data Protection (GDPR) has seen no shortage of panic among the business community’, opens the piece.
‘Overstated though it may be, this panic is understandable: when wide-ranging regulations are introduced, small business owners rarely link arms and dance in the street.’
Well, no…! Tis true.
And yes, it says, GDPR does have far-reaching implications for small business owners, applying, as it does, ‘to any entity processing the personally identifiable information (PII) of any EU citizen in any country’.
But when we stop worrying, is it worth remembering, the legislation is being introduced for a positive overall reasons? That is, ‘to protect this information,’ as SME puts it, ‘and to ensure that data is handled, stored, used, and destroyed properly. In this respect, it’s not too dissimilar from existing protection regulations.’
And the guiding principles are not new ones.
The Data Protection Act 1998, for instance, says SME, ‘holds that personal records should not be held onto for longer than the business strictly needs to, and this is understandable’.
And this ‘principle will be further enshrined within the GDPR’.
Be well organised. That’s what this all adds up to.
The laws apply to records on anyone in any capacity interacting with your business. You need to manage them properly. Simple really.
‘The more unnecessary information you keep, the more difficult it becomes to find the records you do need – and the more space you waste’, says the SME piece.
‘The more necessary information you destroy or lose, the more likely you are to face legal penalties.’
It then sets out a few categories of records – and how you should manage them. These are:
1. Health and safety records – should an incident occur, with attendance by ‘a safety representative’, you need ‘to keep a record of it permanently’, says the piece. ‘This is not only a legal necessity, it’s good sense: health and safety claims can be made at any time.’
2. Wage, salary and employment records – ‘under the Taxes Management Act, you’ll need to retain them for six years’, and the Income Tax (Employments) Regulation means you’ll need them at least for three. ‘This doesn’t just relate to wage and salary records: you’ll have to keep scrupulous documentation of any overtime, bonuses, and expenses.’
3. Accounting records – you need scrupulous accounting records at all times, says the piece, to anyway ‘know how your business is financially managing’. To neglect these is hazardous at all levels, not just legally. But also that: there are ‘statutory retention periods’, which the SME piece outlines. ‘If you’re running a private company, you’ll need to keep these documents for three years (six for public limited companies’).
The useful summary ends on ‘grey areas’ – situations ‘where there isn’t any legal clarity on the length of a document’s retention period – leaving it up to you to decide’.
Pensions are one – though there’s a recommendation of ‘twelve years from the end of any benefit payable under your company’s particular scheme’.
So many things to think about – but they do need thought. And the SME piece advocates an overriding ‘better safe than sorry’ approach.
Plus, if no other factors determine how long you keep a record, why not opt for ‘six years (or five, if your business operates in Scotland)’?
That’s ‘the time limit necessary for bringing any civil legal action’.
There’s more. See the full piece over on SME.