Small Business Data Protection Compliance: 3 Common Mistakes
Data protection can be a real hassle for small firms, with many not knowing what they need to keep or for how long. This guide will help
Data protection is a serious consideration for small businesses, but many businesses fail to seriously consider it as they’re busy selling to, and servicing clients. In my experience, I’ve come across situations where clients will keep thousands of documents in absolute disarray: no referencing system, no segmentation, no clear thought process beyond: “I need to store this piece of paper somewhere, and this box has room.” Often, they won’t have any idea what records they need to keep or destroy – or indeed, how to keep or destroy them.
If it were merely disorganised, it might be understandable – but failing to properly store, organise, and secure documents can have severe consequences. A repeated failure to keep records in order can, for example, lead to penalties of up to £3,000 from HMRC. Cashflow sensitive businesses will naturally struggle to pay this fine – and may even close in the face of repeated charges.
Fortunately, it doesn’t have to come to that. If you’re running a small business, avoiding these three classic data protection mistakes can go a long way towards ensuring full compliance.
1. Not knowing what to keep, or how long to keep it for
This is the first and possibly the most complicated step, because regulation and legislation varies based on the kind of record – and it’s liable to change over years and decades. You may need to comply with statutes including the Data Protection Act 1998 (which safeguards the right to privacy when organisations or businesses process personal information), the VAT Act 1994, the Financial Services Act 1986, and possibly the Freedom of Information Act 2000.
But there are many more laws to consider and there isn’t a single repository of information on the subject.
General company records, for example articles of incorporation, minutes of board meetings, resolutions, and more – should be kept for a minimum of ten years after the date of meeting, in accordance with Section 248 of the Companies Act 2006. This is a legal requirement, but it’s also very useful if you ever want to sell, float, or merge your business.
The rules for tax and accounting records vary, so it’s worth getting the fullest possible understanding of them. As your VAT return is completed online – and companies can in fact receive a fine for submitting a paper return – it’s easy to think that you don’t have to keep extensive records. But the VAT Act 1994 (Schedule 11, paragraph 6) and HMRC Notice 700/21 October 2013 beg to differ: in fact, you’re expected to keep these records for a minimum of six years from the date they were made.
Human resources legislation comes with different challenges, in that some of the relevant laws refer to maximum periods of retention rather than minimums. Per the Data Protection Act 1998 and Section 5 of the Limitation Act 1980, documents such as training records and changes to terms and conditions must be kept for a maximum of six years from the point of creation – keep an ex-employee’s P45 for too long – or destroy it early – and you could be in contravention of the law.
2. Improper document disposal
Shred-happy and shred-shy businesses alike may run afoul of the Data Protection Act 1998. Some companies employ a “destroy all” policy – which is at once overkill and quite possibly in breach of the above recordkeeping rules and guidelines. Others, however, don’t dispose of documents correctly – and pay the price.
None other than the NHS paid this price in 2008, after 79,000 patient and staff records from Brighton & Sussex University Trust were kept on hard drives that were later sold on eBay. The result was a £325,000 fine.
If a record has signatures, credit card numbers, or any other sensitive information on it, it needs to be safely destroyed – ideally in compliance with BSEN 15713 standards. To avoid theft, you’ll want to make sure the shredded items are placed in confidential waste bins, and that you receive a certificate of destruction confirming their disposal.
3. Unnecessary digitisation
The introduction of the EU’s General Data Protection Regulation has led to a surge in enquiries about digitisation. I mostly answer these enquiries with the question: “Why?” The easiest way to avoid digital information security laws is to avoid storing things digitally wherever possible. You don’t technically need to from a legal point of view: one of our customers has 12,000 boxes of physical records stored, and it’s easy to see why.
Hard record storage may seem a bit analogue, but it’s cheaper than scanning and uploading documents to a server – which can cost between £80 and £200 per record box. The convenience of digitisation is mostly theoretical: if documents are kept securely and preserved adequately – you’ll want to make sure the boxes aren’t sprayed with anything that could cause degeneration – it’s typically easier to manage them physically. For certain records, such as wills and deeds, you’ll need to keep hard copy originals in any case.
Data protection can be a legal, operational, and logistical nightmare – but it doesn’t have to be. Keep these best practices firmly in mind and you can refocus your company’s efforts on more profitable activities.
Paul Ravey is a sales and account manager at Access Records Management