GDPR has called for businesses to update their security processes in order to minimize the risk of a data breach, which can result in large fines and reputational damage.
Adopting new or making changes to online security practices has been the biggest consideration for companies looking to become more compliant, but it’s just as important to look at offline measures, such as how your documents are stored and destroyed.
A simple thing firms can do to update their offline security is to implement a company-wide document retention policy (DRP), also known as a records and information management policy or recordkeeping policy. It may sound dry or unnecessary - and leave you wondering when you’ll be done with all this GDPR ‘stuff’ - but think about the potential consequences. What could happen if a document containing sensitive information was to fall into the wrong hands? It’s always best to be covered from every angle, especially when the Information Commissioner’s Office (ICO) has set new fines of up to €20 million or 4% of a business’s annual turnover.
What is a document retention policy?
In its basic form, a DRP outlines a company's protocol for creating, managing, and destroying organization and client data. This procedure is vital for ensuring sensitive documents are handled correctly, from the moment that they're created, through to a specified disposal date.
Why do I need a DRP and what are the benefits?
As with GDPR, the creation of a DRP is all about having the correct processes in place. Do you really know how to store and destroy sensitive information at your company? Is it partly your responsibility - if not, who do you need to speak to ensure data is kept safe at all times?
A protocol with clearly defined responsibilities and guidelines will not only make your company safer, it will also save you time down the line as you’ll know exactly where a document is, how to locate it, and when and how it needs to be destroyed (in accordance to a timeline set by you).
In addition, a DRP protects past employees, who resigned either voluntarily or involuntarily, and should be incorporated into contracts and agreements for new employees or clients joining the firm. The policy should include instructions for how to safely destroy company records stored on their personal devices, company USB drives, and how to erase and reset other company owned devices such as phones or tablets, among other things.
Implementing a document retention policy
A DRP should be implemented company-wide within a staff handbook, digitally dispersed through a memo or scheduled training sessions, or through amendments to current data management policies. Here are some top tips to get you started:
Seek legal advice
Before you go any further, it’s worth seeking advice from the professionals to help you with the process, if you have the funds to do so. A lawyer will get to know your business and what you need a DRP for, and will be able to help you understand the different legal requirements for the retention and destruction of the documents you’re dealing with.
Appoint someone to oversee the whole process
While it’s up to everyone to comply with a DRP, it should be the responsibility of a couple of individuals to oversee the process. This avoids things from becoming unnecessarily complicated - as the famous saying goes “too many cooks spoil the broth”. Having said that, it’s also important to consult different departments across the company.
Once in place, you should also determine who - or which department - will be responsible for ensuring compliance. Who will store the documents, and where? Who will destroy the documents, and how?
Choose how documents are managed and destroyed
Messy desks are threat to your business’s security, which is why it’s so important to ensure they’re stored correctly, in lockable filing cabinets at the very least. For maximum security, and to save space, companies may want to consider investing in a self-storage or off-site storage facility.
You should never tell your staff it’s acceptable to throw their documents in the bin, once they’re no longer required. At the very least they should be shredded, to make them illegible, but there are third-party companies that will shred your documents for you for a fee. These businesses often offer either on-site or off-site destruction, with state-of-the-art industry machinery.
Providing training to employees
There’s no point creating a new, company-wide policy if no one knows about it! A training session, delivered in advance of its enforcement, gives employees time to understand how they can help comply with the DRP and who they should turn to if they have any further questions about it. Make any training material accessible so that current and new employees alike can refer to whenever they wish.