I’m retiring, what do I need to do for GDPR to wind up my business?
If you’re winding up your business, there are a few essential things you must do with the personal data you’re holding, depending on why you’re holding it and what needs to be kept.
It’s good practice to tell everyone – employees, customers, clients, suppliers and others whose personal data your business might hold) - what you will do with their information and how they can either access it in future or be sure that it’s been deleted.
Records that must be kept
There are some records that must definitely be kept. If you have employees, check how long you should keep their health and safety records. The Health & Safety Executive recommends employers keep health records for 40 years after the last entry. For example, this could include dust monitoring or asbestos exposure records.
Different businesses will need to retain different records for example a will writer would need to ensure they made provision for the retention of their clients’ wills and any supporting records that are needed demonstrate the validity of those wills. You must make the right arrangements for those records to be kept safe and secure, and you also need to tell the clients or their legal representatives where they will be kept.
For all businesses, it’s prudent to keep a copy of your data protection and information security records (including the level of access that people had) in case a previous breach is discovered – you’ll need to have evidence to show what measures you had in place.
Secure and accessible storage
Where you need to retain records, look for an appropriate archive for storage: somewhere that will keep the files secure but accessible for the right time and keep them safe from damage (fire, flood or rodents).
A good example of suitable storage for wills is the National Will Archive. For other businesses, there are many document storage services that can offer help. You’ll need to pay for these services up front and make sure that your website shows how the information can be accessed in the future (for example – what if someone wants to access their health and safety information in 39 years’ time? Do you have a legal representative who can get access while you’re sunning yourself overseas on your retirement?)
There are likely to be some legal records that you must keep for tax and other purposes. Typically, those need to be kept for six years and you should make sure you also have those available. It might be easier to keep electronic copies of those documents in the cloud – there are many options available such as Microsoft’s OneDrive or Apple’s iCloud.
Personal information that needs to be destroyed
Finally, there is probably a lot of personal information that you will need to destroy – either straight away or over the following years, depending on how long you said in your privacy notice that you would keep it and whether you still need it for any purpose. Shredding paper documents is easy but you might like to use a commercial service that will give you a certificate of destruction.
The harder part is with your computer files. Did you know that pressing ‘delete’ might not actually delete the files? Find a local reputable IT expert who can securely erase the computer records (this might mean completely wiping your whole computer) and – again – get a certificate to show that this data was eradicated.
There have been many cases where old discarded computers have been accessed and information recovered, make sure that your computers are properly wiped. Find out more about disposing of data storing IT and electrical equipment under GDPR.
After that, you can relax and enjoy your retirement! Have fun!
Protect your business - become and remain GDPR compliant with Astrid