Small businesses often collect personal data on customers and employees in the normal course of their business operations.
However, many are unaware of the importance of having consistent policies and systems in place to ensure they comply with the General Data Protection Regulation (GDPR).
What is personal data?
Personal data includes information such as a person's full name, mobile phone number, address or credit card details. Simply put, it is any information that, when put together, could identify a person.
What is a data retention policy?
It is advisable that such a policy be reduced to writing and easily accessible to customers and employees. In a small business environment, it would be permissible to combine the 'retention' aspect with the general data collection policy.
The policy should be defined in clear terms:
What data is collected;
What the data will be used for;
How periodic reviews of personal data will be carried out;
The period of time your company will retain personal data;
How personal data will be deleted.
*How long can you keep personal data for?
This depends very much on the nature of your business and the purpose for which you collected the data. The main principle is that you should not keep personal data for longer than necessary. Some information (such as all information that must be kept for legal or tax purposes, including VAT) must be kept, by law, for a defined period of time.
What is the importance of data retention policies?
Failure to have adequate data retention policies in place can adversely affect a company. In serious cases, it could lead to a substantial fine or even criminal proceedings. There is also a risk of serious reputational damage if sensitive personal data, collected in the course of business operations, has been compromised to the detriment of the subject of that data.
How to create a data protection policy
A good data protection policy should offer protection to your customers and also be fully relevant to your company's needs and operations. The data protection policy should incorporate the data retention policy. to achieve this you need to:
Step 1: analyse the information collected by your company as part of its daily operations;
Step 2: identify the purpose for which this information is used and that it is really necessary for your company;
Step 3: check that your customers have given clear consent for their information to be collected by you and for the purposes for which it is used;
Step 4: check how this information is stored and whether it is secure;
Step 5: check that you retain this information for no longer than is strictly necessary or that you have a legal obligation to retain this information for a longer period of time;
Step 6: consider how often to review the information held by your company to ensure that it is still necessary and accurate;
Step 7: have a clear policy on how to dispose of the data obtained and monitor and record its destruction.
Once you have completed these steps, you will be in a better position to develop a data protection policy. Transparency is a fundamental principle of data protection law and it is therefore crucial that people who provide their personal data are aware of and consent to:
The fact that their personal data is being collected;
The way in which their personal data will be used;
Their rights to rectify their personal data, to receive copies of all personal data held by your company and the right to remove and destroy it;
The details of your data retention policy.