GDPR Compliance

GDPR Compliance

Purpose

This policy was created to ensure that the records and documents of SAP Calculations Devon are adequately protected and maintained and to ensure that records that are no longer needed or are of no value are discarded. This policy will also aide employees in understanding their obligations in retaining electronic documents including e-mails, online files, text files, PDF documents, Microsoft Office documents and any other formatted files used within SAP Calculations Devon.

At the bottom of this policy we will also outline what steps SAP Calculations Devon have taken both before GDPR came into effect on 25th May 2018 and also after this date to stay as compliant as we can.

Policy

This policy represents SAP Calculations Devon's policy regarding the retention and disposal of both records and electronic documents.

Administration

SAP Calculations Devon will undertake monthly checks to determine if records and electronic documents are still required and dispose of them accordingly if deemed unnecessary. We will ensure that our schedule, as well as this policy, follows National legislation. We will hold annual reviews of our record retention and disposal program as well as constantly monitoring employee compliance with this policy.

In addition, any retained information we keep can and will only be used for the purpose for which it is stored. This is compliant with the Data Protection Act 1998 and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

Suspension of Record Disposal In Event of Legal Proceedings or Claims

There are certain occasions when information needs to be preserved beyond the limits laid out in this policy. The policy guidelines will be suspended for an individual client or document and the information retained beyond the period specified in the following circumstances:

• Legal proceedings or a similar investigation to produce information are known to be likely, threatened or actual
• A crime is suspected or detected
• Information is relevant to a company in liquidation or receivership, where a debt is due to SAP Calculations Devon
• Information is considered by the owning unit to be of potential historical importance and this has been confirmed
• In the case of possible or actual legal proceedings, investigations or crimes occurring, the type of information that needs to be retained relates to any that will help or harm SAP Calculations Devon or the other side's case or liability or amount involved
• SAP Calculations Devon will take steps as necessary to promptly inform all staff of any suspension in the further disposal of documents

Security of Personal Information

SAP Calculations Devon will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information with all sensitive information stored on our secure servers.

Our clients should acknowledge that the transmission of information over the internet is inherently insecure, and that SAP Calculations Devon cannot guarantee the security of data sent over the internet.

Amendments

SAP Calculations Devon may update this policy from time to time by publishing a new version and as such this page should be checked occasionally to ensure that the policy remains relevant.

Applicability

This policy applies to all physical records generated at SAP Calculations Devon, including both original documents and reproductions. It also applies to the electronic documents described above.

This policy has been approved by the Managing Director of SAP Calculations Devon.

Record Retention Schedule

The Record Retention Schedule is organised as follows:

  1. Accounting and Finance
  2. Contracts
  3. Corporate Records
  4. Correspondence and Internal Memoranda
  5. Personal Information
  6. Electronic Records
  7. Grant Records
  8. Insurance Records
  9. Legal
  10. Miscellaneous
  11. Personnel Records
  12. Tax Records

1. ACCOUNTING AND FINANCE

Record type and then retention period.

• Annual Audit Reports and Financial Statements: Permanent
• Annual Audit Records, including work papers and other documents that relate to the audit: 7 years after audit completion
• Annual Plans and Budgets: 7 years
• Bank Statements and Cancelled Cheques: 7 years
• Employee Expense Reports: 7 years
• Interim Financial Statements: 7 years

2. CONTRACTS

Contracts and Related Correspondence (including any proposal that resulted in the contract and all other supportive documentation): 7 years after expiration or termination

3. CORPORATE RECORDS

• Corporate Records (minutes, signed minutes of the Board and all committees, record of incorporation, articles of incorporation, annual corporate reports): Permanent
• Licenses and Permits: Permanent

4. CORRESPONDENCE AND INTERNAL MEMORANDA

General Principle: Most correspondence and internal memoranda should be retained for the same period as the document to which they pertain or support. For instance, a letter pertaining to a particular contract would be retained as long as the contract (7 years after expiration). It is recommended that records that support a particular project be kept with the project and take on the retention time of that particular project file.

Correspondence or memoranda that do not pertain to documents having a prescribed retention period should generally be discarded sooner. These may be divided into two general categories:

1. Those pertaining to routine matters and having no significant, lasting consequences should be discarded within five years. Some examples include:

• Routine letters and notes that require no acknowledgment or follow up, such as notes of appreciation, congratulations, letters of transmittal and plans for meetings
• Form letters that require no follow up
• Letters of general inquiry and replies that complete a cycle of correspondence
• Letters or complaints requesting specific action that have no further value after changes are made or action taken (such as name or address change)
• Other letters of inconsequential subject matter or that definitely close correspondence to which no further reference will be necessary
• Chronological correspondence files

Please note that copies of interoffice correspondence and documents where a copy will be in the originating department file should be read and destroyed, unless that information provides reference to or direction to other documents and must be kept for project traceability.

2. Those pertaining to non-routine matters or having significant lasting consequences should generally be retained permanently.

5. Retaining Personal Information

This section sets out the data retention policies and procedure of SAP Calculations Devon, which are designed to help ensure compliance with legal obligations in relation to the retention and deletion of personal information.

Personal information that is processed by SAP Calculations Devon for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Without prejudice to point 2 (above) SAP Calculations Devon will usually delete personal data falling within the categories set out below at the date/time set out below:

Record Type and then Retention Period

• Information provided for subscribing to email notifications and/or newsletters (including a name and email address): Indefinitely or until the client chooses to 'unsubscribe'
• Information relating to any communications sent through the website such as quote enquiries (unless signed up to the newsletter in doing so in which case refer to the previouis point): 2 years following contact
• Information received during a callback request (unless subsequently signed up to a newsletter in which case refer to the first point): 2 years following contact
• Any other personal information chosen to be sent: 2 years following contact

Notwithstanding the other provisions of this Section, SAP Calculations Devon will retain documents (including electronic documents) containing personal data:

• To the extent that SAP Calculations Devon is required to do so by law
• If SAP Calculations Devon believes that the documents may be relevant to any ongoing or prospective legal proceedings
• To establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk)
• If explicit consent is given by the data subject. Consent is requested at least every 2 years from candidates seeking contract roles and at least every 12 months for candidates seeking permanent employment

Each day SAP Calculations Devon will run a database backup copy of all electronic data contained on SAP Calculations Devon data centre, except for the one financial package. All other databases are in the cloud, connected to a Tier 3 data centre. This backup will include all information relating to current users, as well as any information that remains due to any reason contained in this policy.

6. ELECTRONIC DOCUMENTS

1. Electronic Mail: Not all email needs to be retained, depending on the subject matter. • All e-mail—from internal or external sources is to be deleted after 12 months
• Staff will strive to keep all but an insignificant minority of their e-mail related to business issues
• SAP Calculations Devon will archive e-mail for 90 days after the staff has deleted it, after which time the e-mail will be permanently deleted
• Staff will take care not to send confidential/proprietary information held by SAP Calculations Devon to outside sources
• Any e-mail staff deems vital to the performance of their job should be copied to the relevant client or candidate record on Flow - SAP Calculations Devon' CRM System

2. Electronic Documents: including Office 365 and PDF files, retention also depends on the subject matter.

SAP Calculations Devon does not automatically delete electronic files beyond the dates specified in this policy. It is the responsibility of all staff to adhere to the guidelines specified in this policy.

In certain cases a document will be maintained in both paper and electronic form. In such cases the official document will be the electronic document.

7. INSURANCE RECORDS

• Certificates Issued to SAP Calculations Devon: Permanent
• Claims Files (including correspondence, medical records, etc.): Permanent
• Insurance Policies (including expired policies): Permanent

8. LEGAL FILES AND PAPERS

• Legal Memoranda and Opinions (including all subject matter files): 7 years after close of matter
• Litigation Files: 1 year after expiration of appeals or time for filing appeals
• Court Orders: Permanent

9. MISCELLANEOUS

• Material of Historical Value (including pictures, publications): Permanent
• Policy and Procedures Manuals – Original: Current version with revision history
• Annual Reports: Permanent

10. PERSONNEL RECORDS

• Employee Personnel Records (including individual attendance records, application forms, job or status change records, performance evaluations, termination papers, withholding information, garnishments, test results, training and qualification records): 7 years after separation
• Employment Contracts – Individual: 7 years after separation
• Employment Records Correspondence with Employment Agencies and Advertisements for Job Openings: 3 years from date of hiring decision

11. TAX RECORDS

General Principle: SAP Calculations Devon will keep books of account or records sufficient enough to establish gross income, deductions, credits or other matters required in any such return.

These documents and records will be kept for as long as the contents may become material in property tax, franchise and local income laws.

• Tax-Exemption Documents and Related Correspondence: Permanent
• Tax Bills, Receipts, Statements: 7 years
• Tax Returns: Permanent
• Sales/Use Tax Records: 7 years
• Annual Information Returns: Permanent

New Implementations for GDPR

SAP Calculations Devon is constantly looking at how we, as a business, can be as efficient as possible when abiding by these data protection laws. Due to these laws, SAP Calculations Devon has implementated the following changes to the way we work:

• Personal information has been removed from automated emails (such as telling our Credit Control department a payment has been made)
• Added functionality to quickly export a PDF document of a client's personal information should they request it
• Added functionaility to quickly and easily delete all personal information relating to a client - should they request it
• Added opt-in tickbox to our mailing list throughout the website
• Added opt-in tickbox to our callback request box throughout the website
• Added opt-in tickbox to our quote request page to store potential client information
• Removed information from our databases that did not abide by the above timeframes
• Removed any clients that did not opt-in for our mailing list prior to the implementation of these laws
• Created an automated check once a month on all data to ensure it's within the timeframes outlined above
• Informed all our staff of how these new changes would impact them and the business as a whole
• Wrote a clear and concise policy (above) outlining what we're doing as business to abide by these laws to be published on the website