SME compliances

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Does anyone have any good advice or articles on what are the legal requirements (if any) for SME's on things such as recording and archiving emails etc etc?

I feel like it's one gap in my knowledge base that I could rectify quickly enough with some reading?

 

So it's a legal requirement to have them in place? or is it just a case of your up the creek without a paddle if you don't have them in place when you really need it, so it's better to have them?

 

I've dealt with the information commissioner on a number of occasions.
It's really a matter of being reasonable and sensible, and it's also a game of odds.
You'd have to be pretty unlucky for someone to take an official interest in your internal practices (such as a tribunal), and if they do, and you haven't followed best practices/legal requirements then it doesn't help your case.

But again, the word is always 'reasonable', which is vague as anything.
Do you take reasonable care to protect data?
Do you store personal information for a reasonable length of time?

It all depends on how your business works.
For example, if your sales force needs access to your clients personal information in order to do their daily job, then it is not reasonable to have them locked in a vault, or protected by a password that only the manager knows. But do the sales force need to be able to see everything? Order history, payment details, outstanding bills? Maybe, maybe not. If the question gets asked as long as you have a sensible (and reasonable) answer, you should be OK.

If you are going to record emails or phone calls, make sure staff know that's what you are doing.
If you intend to discipline staff for improper use of company phones or email, make sure they know that and apply it fairly.

Having said all that, there are rules about storing things like credit card numbers, which you may want to check out. Whichever bank your company uses will be able to tell you.

 

Thanks for that mater. Right now the case is the exchange database is backed up daily and staff simply do not delete emails. However there is no recording or archiving going on and we have agreed due to the nature of the work they do that it is only good to implement something.

I was thinking Journalling and then something else but not overly clued up on the products and choice available for a small firm.

+REP mate