These companies could have saved millions if they followed these best practice steps

Brands face huge risks to their customer's data with steep fines when they don't enshrine a Records Management policy. Let's take a look at why.

For many years companies have barely taken the first steps in relation to ensuring their records management and document storage program adheres to best practice principles.

However, with ever increasing regulations and standards to adhere to, those companies that fail to follow best practice will be left increasingly exposed to financial penalties especially from 2018 when the new GDPR (General Data Protection Regulation) comes in to full force.

The GDPR will allow those organisations responsible for upholding the information rights in the public interest to levy significant financial penalties on organisations who fail to comply with the regulations of the GDPR. In the UK it is the responsibility of the ICO (Information Commissioners Office) to promote the openness of data privacy for individuals.

Breaches of the new GDPR may incur fines of up to €1m or 2% of annual worldwide turnover – which ever is greater.

So how can you ensure you remain compliant and do not fall foul of the new regulations?

Foster the right culture in the workplace

Your staff are vital to the success of your compliance with all data protection regulations. Invest in educating your workforce in a way that employees are encouraged to promote good practice. It is very much a top down approach however and for your staff to buy in to your policies they must see the senior figures in the business also buying in.

Data protection training is a must. All new employees should receive training at induction but all staff should undergo regulation refreshers to ensure the key messages are reinforced to become habit and to ensure staff are informed of any alterations to the policy.

Secure, controlled access to data

Limiting access to information in the office is a relatively simple practice to engage in. Controlling access to information through your IT systems ensuring only authorised users can access certain information will reduce the risks associated with accidental and malicious breaches.

Limiting access to the physical information is trickier however. Should you house your business records internally it is wise to centralise the storage area for these documents and ensure that access to that area is limited to authorised personnel only, with details of access being logged and maintained.

Many businesses however find operating an internal controlled filing area expensive and difficult to manage and often turn to an external supplier to provide document storage and management services.

By entrusting your documents to a document storage business such as Kelly’s you will reduce the risks associated with unauthorised and malicious access. By taking your documents off-site, information is immediately out of reach of your staff without going through a controlled authorisation process to retrieve documents back to them. Furthermore, the security of facilities off-site often far outweigh those found in-house. Internal and external CCTV, infra-red intruder detection through out, full security background checked employees; fingerprint and pin access control systems throughout are standard at Kelly’s.

At Kelly’s every request is tracked and verified at each stage of the retrieval process providing you with a full track and trace audit trail detailing names, dates, times and locations of each movement.

Active Document Destruction

Storing documents beyond their legal hold increases the risk to your business. Once a document has “served its time” ensure you securely and confidentially shred the documents. Failure to destroy documents on time means the exposure to a possible breach increases. It is likely such documents will contain sensitive information so the risk of a data protection issue. Keeping personal data longer than it is useful for is classed as a clear breach of the guidance provided by the ICO.

To reduce this risk implement a data retention policy where all documents can be systematically destroyed once they have reached their date of review.

If you need help in determining what your retention policy should be we can assist you in this area.

If you can build the right culture among your team, control access to data and information and actively destroy information when due, you are well positioned to avoid potential data protection issues.

But even with such processes in place and if you are able to foster a desire among staff to protect data, breaches can and do still happen. What will define you and your business will be how you respond to such incidents.

Being calm and measured in your response will be vital and it is important to act decisively too. Get to the bottom of the breach. Understand what happened and how it happened. Identify those affected and do all you can to protect the compromised data. Once the dust settles you must review your data protection policy and procedures to see if there is anything you can do to prevent such a breach from recurring. Your business may just depend on your actions.


Grant Hutchinson

Commercial Director

Joining in 1992, Grant has become an integral part of Kelly's operations and expanding client base. As an industry leader in Records Management, Grant brings a level of expertise second-to-none in the data management market.

Linked In