How long do I need to keep my business data?

Data is one of your core business assets. Think of all the different types of data kept by your business. You are trusted with client records and correspondence; you keep your own business records, plans and financial information; HR maintains employee records, and there’s a raft of different types of information. It’s essential to back up this sensitive data, but realistically, how long do you need to keep backing it up for? What are your obligations to retain data? Are there legal requirements to keep data for any specific length of time? Are there specific rules for particular industries? And has GDPR affected these guidelines? (more on this in another blog).

If you advise clients in any capacity, are there particular legal requirements that you need to adhere to? Although many sectors such as the law and accountancy offer guidance in relation to how long files should be retained in storage, HMRC’s requirements in relation to their own record management should definitely be borne in mind. HMRC advises: “Any information created, received and maintained as evidence and information by an organisation, in pursuance of legal obligations or in the transaction of business” be maintained for 6 years plus current (otherwise known as 6 + 1). And the Companies Act 2006 stipulates the length of time accounting records needs to be kept for various different types of companies.

Backups

Many firms outsource their data backup and archiving to their managed service provider or specialist data management company. Data backup packages often start at a rolling 30 days period, but bearing in mind HMRC’s requirements, you should consider what would your business do if it needed to recover data from 45 days ago? What happens if your data gets corrupted and you need to roll back from 2 years ago? What happens if you don’t notice that data has been lost until months after the event?

Insurance considerations

Your business insurance may also come into question. If your business suffers from a cyber-attack or is infected by ransomware, you need to be able to recover your data so you can continue to service clients as usual. If you have taken insurance cover and need to claim for full system recovery and data restore and you are found to only have limited data retention and backups, you could find that your insurance policy does not cover your loss. And on a practical level, if you only have 30 days of backup to revert to and if these are also compromised, you have no data restore point at all to start from.

What actually is a backup?

It’s best to think of a backup as an exact replica of your data at a given point in time.  However, there are numerous “sync” services and solutions that are often thought of as a backup solution.  They definitely are not backup solutions – if one copy is corrupted, the other is also corrupted.  Be careful when considering your backup strategy and ensure it is fit for the purpose intended.

Consider your choices

When considering your options on data backup and archiving, bear in mind that a basic 30 day rolling backup package will not enable you to restore older data, and nor will sync-copies. This could have a significant impact on your obligations to safeguard clients’ data. And with HMRC’s seven year policy for data retention, although there may be a cost to archive data for such a long period, in the long run, it really is best practice and you shouldn’t cut corners.

Find out more about best practice in data backup and archiving – speak to us.

Learn how we can help transform your business

Get in touch online or give us a call on 0345 504 8989