Data Retention Policy

GHStartups.com (“we”, “our”, “us”) shall only keep information it holds for as long is necessary. The retention periods can differ based on the type of data processed, the purpose of processing or other factors.

This Data Retention Policy (“Policy”) covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location. Note that the need to retain certain information can be mandated by local, industry regulations and will comply with General Data Protection Regulation (“GDPR”), the Data Protection Act 2016. Where this Policy differs from applicable regulations, the applicable regulations will take precedence.

As a general rule, we retain all information only for as long as specified in this Policy and, in general, no longer than five years plus the current year.


Current plus five-year rule
As a general rule, we shall not hold personal data for more than five years after which it ceases to be current, unless there is a specific reason for doing so (see ‘Exceptions to the five-year rule’ below for the specific categories requiring different retention periods). The definition of ‘current’ will vary according to the personal data: for example, it will mean until a customer has found office space or until a member of staff has ceased being employed by GHStartups.com where it relates to staff.

It should be remembered that the ‘current plus five years’ rule is a maximum period for retention. If there is no need to keep the personal data that long, then it should be disposed of securely before the five-year time-limit. This may be the case in respect of a CV application for a job with us.


Exceptions to the five-year rule
Some data must be retained in order to protect GHStartups’ interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include:
- Regulatory requirements;
- Litigation
- Security incident investigation

GHStartups may also keep the e-mail addresses and telephone numbers of data subjects who unsubscribe to marketing communications to ensure that there is a record on file noting that the individual is not directly marketed too.

Please see the attached Data Retention Schedule (“Schedule”) for guidance on determining the length of time for which personal data within certain categories should be retained.

Data destruction
Data destruction is a critical component of a data retention policy. Data destruction ensures that the company will use data efficiently thereby making data management and data retrieval more cost effective.

When the retention timeframe expires, GHStartups will actively destroy the data covered by this Policy. If an employee of GHStartups feels that certain data should not be destroyed, he or she should identify the data to his or her supervisor so that an exception to the Policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of GHStartups’s management team.

GHStartups specifically directs employees not to destroy data in violation of this Policy. Destroying data that an employee may feel is harmful to himself or herself is strictly forbidden or destroying data in an attempt to cover up a violation of law or company policy.


Records can be destroyed in the following ways:

Non-sensitive information – can be placed in a normal rubbish bin/recycling.

Confidential information – cross cut shredded and pulped or burnt

Electronic equipment containing information – destroyed using killdisc and for individual folders, they will be permanently deleted from the system.

Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques.


Sharing of information
Duplicate records should be destroyed. Where information has been regularly shared between business areas, only the original records should be retained. Care should be taken that seemingly duplicate records have not been annotated.

Where we share information with other bodies, we will seek to ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the relevant legislation and regulatory guidance.


Audit trail
You do not need to document the disposal of records which have been listed on the Schedule. Any documents which are disposed of earlier or kept for longer than listed in the Schedule will need to be recorded for audit purposes.

This will provide an audit trail for any inspections conducted by the Information Commissioner, where we no longer hold the material.


Monitoring
Responsibility for monitoring this Policy rests with a Chief Monitoring Officer (CMO). This Policy shall be reviewed annually.



Data Retention Schedule

.

Category
 Financial records
 Personal data relating to customers
 Personal data relating to employees
 Tax records
 Corporation records
 Recruitment details
 Complaints
 Contractual arrangements
 Data protection requests
 Insurance
Examples
  Payroll data Purchase Ledger, Sales Ledger
  Customer contact details Customer notes
  Staff details References Disciplinary records
  Tax documentation
  Annual Report and Accounts Board Minutes Quarterly Reports
  CV Interview notes
  Correspondence with complainants
  Service level agreements Legal contracts
  Correspondence regarding DP requests
  Insurance Policies Employers Liability Claims
Retention Period
 Current tax year plus five years
 Personal data will be held for as long as the individual is a customer of the company plus 6 years.
 General employee data will be held for the duration of employment and then for 6 years after the data of termination. Employee contracts will be held for 6 years after the date of termination.
 Current financial year plus 6 years
 Current financial year plus 5 years
 Details relating to unsuccessful applicants will be held for 6 months after interview and shall then be destroyed
 Current year of complaint plus six years
 Life of contract plus six years
 Current year of request plus six years
 In general, insurance policies should be kept for the length of the policy plus 6 years. Employers Liability Claims should be kept permanently.