Staying on top of your records through effective document management is essential for any business, for both legal and practical reasons. The taxman demands accurate financial records, Companies House needs you to keep robust business records, and your sanity demands you keep track of everything else. Those who cannot remember the past are condemned to repeat it, and it rarely feels more like condemnation than when you’re having to recreate something from scratch when you know it already exists somewhere, you just can’t find it.
For minor issues this is maddening, for legally-required documents it can put your entire business at risk. HMRC and Companies House have the ability to enforce steep penalties for non-compliance, so it’s critical that your company follows best practice in document archiving and retention. To help with that, we’ve put together a practical, risk-focused checklist for archiving business documents.
1. Inventory and classify your records
Map out the information you hold, where it lives, who owns it, and whether it contains personal or special-category data. The latter carries additional security implications, plus the requirement, under GDPR, to delete it unless there’s a compelling reason not to.
2. Have a clear, functioning filing system
Being able to find data quickly is as important for compliance as having created it in the first place. The ICO specifies that records must be stored “in a way that facilitates management, retrieval and disposal”, which means having excellent metadata and a logical file structure underpinning a robust filing system.
3. Set a written retention schedule (by record type) and review it regularly.
This is a key audit requirement: you need to store your records by type and have a written retention schedule for each. One of the more obvious legal requirements is for customer records: GDPR says you can’t retain them for any longer than necessary, so your schedule should call for them to be purged regularly. Minutes of director’s meetings, meanwhile, have to be kept for ten years, while other records need to be kept even longer.
4. For personal data, record the lawful basis and the “storage limitation” for personal data.
A followup to the previous point: your data retention policy has to state why you’re keeping personal data and for how long to be legally compliant with UK GDPR. Brace yourself for some difficult chats with the marketing team.
5. Confirm the rules that govern your sector, and reflect them in your policy
Picking the best DMS for your business means knowing the individual requirements of your industry. Document management for legal firms comes with its own needs that differ from CPAs or construction.
6. Be explicit about what happens to data when the retention period ends
You need to define what happens when the retention period ends - which in most cases will be deletion, although sometimes you will anonymise or transfer it - then apply it consistently. This doesn’t have to go as far as putting physical drill bits through the hard drives (see point 12, below) but it has to go further than creating an endlessly-skipped action point for a junior staff member.
7. Ensure your data and archives are secure
You need to apply strong access controls and encryption for data (make sure it’s encrypted both at rest and in transit) and automatic logging of file access. Picking a DMS with robust security is an essential prerequisite for managing documents in the cloud.
8. Back up your archives - and check the backup actually works
Many businesses have been undone by having a backup system but never checking it - only to discover long-standing errors when the worse happens and they cannot recover. Using cloud backup reduces the risks of simple hardware failure or user error catching you out.
9. Consider how you handle cross-border storage
If UK personal data leaves the UK (for instance, cloud archiving in the US/EU), use approved transfer mechanisms and risk assessments as advised by the ICO.
10. Manage emails and messages as records (where relevant)
Email can be as important as traditional business data in the eye of the law, so it must be considered with the same care. Workiro’s integrated instant messaging system and deep Office365 integration means you can easily capture relevant discussions from within the platform.
11. Train staff and audit compliance
Policies only work if people know about them. Make sure your data retention and security policies are available to all staff, you’ve both assigned and trained the creators and owners of records, and carry out regular audits to make sure that processes are being followed.
12. Sanitise media/devices before reuse or disposal
If you have confidential data stored on physical devices, like hard drives or USB sticks, they need to be securely destroyed at the end of their life to ensure data protection. The US guidelines are the ones to follow here, although you can make life easier for yourself by using cloud storage for business that handles it all for you.
13. Know if staff have problems finding records, and fix the problems if they do
Part of the ICO’s accountability measures include knowing about any issues and taking steps to address them. Don’t assume that everything is working perfectly: issues that people work around rather than fix can trip you up.
14. Pause deletion if there is the chance of a legal challenge
If litigation is being “contemplated” then you will need to retain any relevant files, even if the legal case hasn’t started. Your staff training needs to include telling people to spot triggers (like claims or investigations) and preserve relevant files immediately.
15. Keep evidence of compliance
Maintain your retention schedule, legal-hold logs, destruction certificates, DPIAs, and policy/training records—so you can prove what you did and why. UK: ICO accountability guidance. US: HHS records-management policy model (for lifecycle proof). (ICO, HHS.gov)
To get some tailored advice about how your business can embrace document archiving, get in touch with one of our specialists.
Share this article
