Most businesses know that data protection is a serious issue. Too few, however, understand why or for how long they are legally required to retain key records. This typically results in a document storage set-up that is disorganised and – unbeknownst to staff – non-compliant. Without a referencing system or clear segmentation policy in place, companies can fall short of legal document retention requirements and face stiff penalties.

During a busy work period, it’s easy to throw important records into the closest box until further notice, but this can cause unnecessary issues down-the-line. It may be a challenge to establish a solid data retention policy, but it’s an absolute priority for businesses of all shapes and sizes.

Here are four areas of data retention to focus on so that you can ensure your business stays compliant.

  1. The regulations

There is no central repository of regulatory information which can make staying up-to-date and informed a tricky task. Data retention requirements can vary significantly depending on the type of record: you may have to hold certain HR and financial documents for up to seven years, building regulation documents for up to 21 years and insurance documents for up to 40 years.

A comprehensive understanding of the legal ramifications requires continuous examination of legislation – whether that’s the Data Protection Act, VAT Act, or any other type of regulation.

The penalties involved in breaching data retention regulations differ according to the actual record in question and the type of regulation you are in breach of. For example, HMRC can fine you for not having VAT records available – and the amount can change depending on how many times you default within a 12-month period.

  1. Hard copies versus electronic copies

The General Data Protection Regulation (GDPR), due to come into force in May 2018, takes a strong stance on electronic data protection, which has resulted in more companies starting to digitise their records. However, you are not actually legally bound by the regulation to digitise any documents – it simply comes down to your preferred method of document storage.

  1. The records

Your business will need to retain a variety of general business, financial and HR documents. It’s important to examine the relevant legislation on a regular basis as lesser known legislative requirements may slip your attention. Here are some examples of the kinds of records that you might not currently realise need to be securely stored.

Pensions schemes data: As per the Registered Pension Scheme (Provision of Information) Regulations 2006 (No. 18), business data and documents concerning pension schemes require a minimum storage time of six years.

Injuries, diseases and accidents reports: The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (No.12) 2013 states that accident reports need to be stored for a minimum of three years. The maximum time depends on the general restrictions regarding personal data.

Business contracts and agreements: According to the Limitation Act 1980 (Section 5), any business contracts, agreements and other arrangements need to be safely stored for the length of the contract and for six years after the agreement has been terminated.

  1. Your business policy

Your data retention policy needs to apply to everyone in your company from the top down. This is especially important if your company chooses to manage your document storage in-house. Make sure that all your staff understand the importance of data protection and the applicable legislation.

A do-it-yourself approach must take the appropriate steps to ensure that the data storage areas are safe, dry, fire-retardant and secure – not a simple task by any means. You’ll also need to establish a filing system that has easy-to-use referencing guidelines so you can quickly retrieve documents if required to by an inquisitive authority.

Good data retention is not just about knowing how to keep your documents safe and secure, it’s also about knowing how to dispose of data properly once it no longer needs to be retained. Records containing sensitive information need to destroyed according to a set policy, not just thrown into the nearest bin. Shredding confidential documents protects data from falling into the wrong hands.

Data retention is a process which can become overwhelming – if not done correctly. Make sure your business policy is in line with all the regulations and that your staff are up-to-date with any legal changes. That way, data retention won’t be a costly afterthought and you’ll be able to get on with business profitably and productively.


By Ian Henry, records centre manager at Access Records Management


Find out how to ensure that your company is fully prepared for the implementation of GDPR by attending the GDPR Summit Series, designed to help businesses prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at www.gdprsummit.london