Accountants, investment firms, banks and other financial service companies have an important duty to protect sensitive documents to meet data protection regulations, experts say as the latest data breach findings are released.

Reports from the Information Commissioner’s Office found that the finance, insurance and credit sectors were responsible for a total of 243 data security incidents in the first quarter of 2019-20.

And according to research from August 2019, 70% of UK financial companies suffered a cybersecurity incident over the previous 12 months, with almost half caused by employees failing to follow company data protection policies.

A data breach can have catastrophic consequences for a business. It could lead to losing clients or customers, damaging the business’s reputation, or a staggering financial blunder.

Breaching GDPR, the latest data protection law, could result in a fine of up to €20 million (£17.4 million) or 4% of the company’s annual global turnover, whichever is higher.

Dave Fitzgibbon, IT manager at corporate finance specialist and loan company RLA Capital, says: “Making sure that documents are stored safely and only accessible by those with the correct level of authority should be the main focus for any company.

How to efficiently and securely store sensitive documents

More businesses are choosing to store their documents digitally to save space and create easy access to documents. However, without stringent online protection, sensitive data could be compromised. This includes installing a firewall to secure the internet connection, using antivirus software and keeping devices and software up to date.

Dave adds: “Digital documents must be stored in a secure area, accessible only to those with the required authority. Levels of access play an important part, with administrative or user rights and of course strong password protection. If possible, using some form of encryption for sensitive documents is beneficial.”

If businesses don’t have the time or budget to maintain a secure digital document system, they have the option of keeping files in an offsite storage facility. This frees up office space and ensures the records are safely monitored to prevent theft and accidental harm. 

Jonathan Richardson, managing director at secure archiving specialist Russell Richardson, says: “Archiving services restrict access to security-checked employees only and ensure documents are constantly monitored by CCTV. Any files that are moved or retrieved by staff are also logged through a scanning system.”

Companies that have a stringent online storage system may need to keep some paper versions of files.

Dave adds: “Sometimes finance companies must keep original documents; for example, a signed credit agreement. In these instances, the documents must be kept in an orderly and secure manner.

“When securing sensitive documents, you will need to consider your ‘threat model’. A threat model will outline any risks to your company systems and data—who, what, where and why may try to access, tamper with or destroy your data. Based on this, you can make reasonable adjustments and implement security features to reduce the impact of any threats identified.”

What documents should financial companies store?

According to Dave, the key documents that finance companies should store include:

  • VAT returns
  • bank statements
  • invoices – both customer and supplier
  • receipts
  • aged debtors
  • aged creditors
  • year-end accounts
  • management accounts
  • trading agreements/contracts
  • financial forecasts

Documents that should be stored securely to comply with GDPR regulations include:

  • contact details
  • privacy statements
  • marketing preferences
  • employee contracts
  • accident records
  • payslips and P45s etc
  • data controller information
  • tax records

“An organised storage system improves efficiency. It ensures that important files can be retrieved quickly and easily, so clients and customers don’t see any delays that could make a bad impression,” explains Jonathan.

What retention periods and regulations should be met?

There are legal timeframes that dictate how long businesses should hold certain financial documents. Some of these regulations are as follows:

  • Accounting and tax documents should be kept for three years by private companies and six years by public limited companies.
  • VAT records must be kept for at least six years.
  • Wage and salary records should be stored for six years.
  • Expense accounts should be stored for six years, from the end of the related tax year.
  • National Insurance returns and HMRC correspondence documents should be kept for three years from the end of the related tax year.
  • It’s advised, but not required, that HMRC approval documents are stored permanently.

“Retention periods have been included in existing data protection law for several years,” says Jonathan. “Although GDPR doesn’t specify legal time limitations for storing documents, it does state that personal data must only be stored by companies for as long as needed.”

Under the Money Laundering Regulations 2017, money service businesses must keep records of all customer due diligence measures that have been carried out in case there are any investigations into a customer. These records include, but are not limited to: 

  • customer identification documents
  • risk assessments
  • training records
  • the company’s policies, controls and procedures.

These records and any supporting documents should be stored for five years following the end of the business relationship or the completion of the transaction. After this timeframe, any personal data must be destroyed unless:

  • you have the consent of the person whose data it is
  • you are required to retain records containing personal data under an enactment
  • it is for the purpose of court proceedings
  • you have reasonable grounds for believing the records need to be retained for legal proceedings

Do any documents need to be permanently destroyed?  

Businesses are responsible for sensitive documents from when they are created until they are no longer in use. This includes disposing of the files sufficiently once they have reached the legal timeframe.

Dave concludes: “If documents contain information that you no longer need, then you must dispose of it immediately. For example, if a finance company receives bank statements from a client in the post, these should be scanned in, saved securely and either returned to the client or disposed of securely. This can be done by shredding or with a confidential waste bin service.

“A confidential waste bin service is where a company supplies a locked paper waste bin and then offers a service where they collect the disposed-of paper and destroys it.”

Financial information is highly vulnerable to theft and fraud, so companies that handle it must ensure it is stored in a safe environment and permanently destroyed when required. A document management process can be timely and, without dedicated staff to fulfil this duty, it can seem like an impossible task. However, outsourcing the files to an archiving facility can improve workflow, while greatly reducing the risk of security breaches.