Businesses in the UK have to comply with various data laws in order to operate. A lack of compliance with any regulation – be it personal data protection or sector specific legislation – can result in reputational damage and/ or severe fines. To avoid putting your business at risk in any way, it pays to adopt a comprehensive data retention policy that keeps track of all the legal requirements – including, data retention laws.
The General Data Protection Regulation (GDPR)
Perhaps the most important law related to the collection, usage and retention of data is the Data Protection Act 2018, which is effectively the UK’s implementation of the EU General Data Protection Regulation (GDPR). The GDPR came into effect on 25 May 2018, introducing stricter requirements regarding how long businesses can retain the personal information of EU citizens anywhere in the world.
What does GDPR say about data retention?
The GDPR does not specify retention periods for personal data. Instead, it emphasises data minimisation – this applies to both the volume of data that is kept as well as the length of its retention.
However, there are some circumstances that allow for personal data to be stored for longer periods of time. According to Article 5 (e), these include archiving purposes like public libraries as well as research archives for scientific or historical work.
Recital 39 nonetheless stipulates that the personal data can only be stored for a strict minimum time limit. The data controller needs to establish the time limit as well as ensure the destruction of the records (referred to as erasure in the GDPR) or submit them for a periodic review.
Ultimately, personal information can only be kept in a form that allows for identification of the individual for no longer than is necessary for the purposes for which it was processed. In deciding how long to retain personal data for, organisations will make their decision based on statutory retention periods, limitation periods for claims, individual business needs and the data quality principles.
Other data retention regulations for businesses
In addition to the GDPR, UK businesses need to be aware of a few more specific records retention regulations for documents that are commonly found in the workplace.
- Business contracts and arrangements
The Limitation Act 1980 (Section 5) states that all business contracts, agreements and other arrangements need to be safely stored for the length of the contract and for six years afterwards.
- Pensions
The Registered Pension Scheme (Provision of Information) Regulations 2006 (No. 18) demands that business data and documents concerning pension schemes require a minimum storage time of six years.
- Medical examinations
Regulation 10(5) of the Control of Substances Hazardous to Health Regulation 2002 stipulates that all work-related medical examinations related to hazardous substances must be stored for a minimum of 40 years, from the date of the last entry made in the record.
- Dangerous substances
A company in the business of supplying chemicals and other ‘environmentally damaging’ products, needs to comply with Article 49 of the Regulation No 1272/2008/EC.
This legislation demands that all records pertaining to the classification, labelling, and packaging of these substances and mixtures are kept for a minimum of ten years from the date these products were last supplied.
- Workplace injuries
According to Regulation 12, of the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013, accident reports need to be retained for a minimum of three years. The maximum retention period is dependent upon general restrictions regarding personal data.
- VAT
The VAT Act 1994 (Schedule 11, paragraph 6) and HMRC Notice 700/21 October 2013 stipulates that VAT records need to be kept for a minimum of six years from the date they were made.
Maintaining compliance
To maintain compliance with data retention regulations, UK businesses needs to set up comprehensive document storage system. An inhouse storage system is one option. But businesses must remember that records management can be a minefield to navigate, with new regulations and iterations occurring regularly.
An outsourced solution, like the one offered at Access Records Management, can help businesses of all shapes and sizes comply with the law. This keeps company reputations – and bottom lines – in one piece. If you need help or more information regarding the retention of important records, contact us today.