Retention of Records
1.  Scope 
All Inchol Solutions’s records, whether analogue or digital, are subject to the retention requirements of this procedure.
2.  Responsibilities
2.1  The following roles are responsible for retention of these records because they are the information asset owners.
2.2  Asset owners are/responsible for ensuring that all personal data is collected, retained and destroyed in line with the requirements of the GDPR.
2.3  The Finance Director (CFO) is responsible for retention of financial (accounting, tax) and related records.
2.4  The Head of HR is responsible for retention of all HR records.
2.5  The Health and Safety Officer is responsible for retention of all Health and Safety records.
2.6  The Company Secretary is responsible for retention of all other statutory and regulatory records.
2.7  The Data Protection Officer / GDPR Owner is responsible for storage of data in line with this procedure.
2.8  The Manager/Executive (generic/line) is responsible for ensuring that retained records are included in business continuity and disaster recovery plans.
3.  Procedure
3.1  The required retention periods,  by record type, are recorded in (Retention of Records – GDPR REC 4.9) under the following categories:
3.1.1  Record type
3.1.2  Retention period
3.1.3  Retention period to start from (at creation, submission, payment, etc.)
3.1.4  Retention justification
3.1.5  Record medium
3.1.6  Disposal method
3.2  Each data asset that is stored is marked with the name of the record, the record type, the original owner of the data, the information classification (Information Classification Procedure GDPR-C DOC 8.2), the data of storage, the required retention period, the planned date of destruction, and any special information (e.g. in relation to cryptographic keys).
3.3  Cryptographic keys, which are required for identify record types above are retained.
3.4  For all storage media (electronic and hard copy records), Inchol Solutions retains [electronic data on AWS cloud for CEO/CTO/COO/Data Processor Officer access only and hard copy records on locked file cabinet for CEO/COO/Accountant/HR access only] the means to access that data.
3.5  For all electronic storage media, Inchol Solutions does not exceed 90% of the manufacturer’s recommended storage life. This is recorded in the Log of Information Assets for Disposal (GDPR-C REC 11.2.7). When the maximum of 90% of expected life is reached, the stored data is copied onto new storage media. 
3.6  The procedure for accessing stored data is detailed in Access Control Rules and Rights for Users/User Group (GDPR-C DOC 9.1.2).
3.7  The Data Protection Officer / GDPR Owner and Change Manager are responsible for destroying data once it has reached the end of the retention period as specified in Retention and Disposal Schedule (GDPR REC 4.9). Destruction must be completed within 30 days of the planned retention period. Destruction is handled as follows: All hard copy records must be shredded. All electronic data including databases and documents must be permanently deleted.
3.8  Portable/removable storage media are destroyed in line with GDPR-C DOC 11.2.7.