Wanne Pemmelaar from filerskeepers explains why every organisation needs a data retention policy and highlights the challenges involved in implementing an effective data retention policy.
Have you ever thought about how much data your business holds, and how much extra data is generated every day? A lot.
Most businesses excel at hoarding data, often preferring to store information for long periods rather than tackle difficult decisions on if, when and how to delete data, whilst all the time adding to the amount of data retained. This approach can come into conflict with general principles of data minimisation in data privacy laws such as GDPR, as well as a host of specific data retention requirements that apply to areas such as tax, accounting, HR, and health and safety records.
Data Retention is a topic we at aosphere are asked about quite a lot! In the context of data privacy, we ask local counsel to confirm if restrictions apply to how long personal data can be kept, and we also know it’s an issue for shareholding disclosure rules where clients have asked if there are any specific data retention rules as regards net short position reporting. Aside from some of the headline issues that we flag within aosphere, we know that there are significant challenges in developing and maintaining knowledge about the precise detail of data retention rules globally (e.g. by specific sector and location) and then developing a policy that works for firms operating globally.
One person who has made it his mission to untangle this complexity is Wanne Pemmelaar, the CEO and founder of filerskeepers, a records retention management company. Having previously worked at leading international law firm Allen & Overy (A&O), Wanne left A&O in 2019 to develop filerskeepers and is passionate about all things data retention! In this article we asked Wanne to explain why every organisation needs a data retention policy and to highlight some of the challenges involved in implementing an effective data retention policy.
What are the main challenges around putting in place an effective data retention policy?
The challenges probably fall into two main buckets:
First, there are a huge number of specific data retention requirements, all of which vary from country to country. There could be hundreds of data retention requirements per country which apply to information held by a business and no consistent approach or theme to those requirements across the globe. As a result, there are often conflicting requirements – what should you do if, for example, payroll records must be stored at least 10 years in Poland and Romania, while in France those same payroll records should be deleted after 6 years? Compliance with records retention rules in one country can lead to non-compliance in another.
Most countries do have at least one rule in common: the hoarding approach is not ok and keeping records forever is not allowed. This is often brought into focus in the context of personal information where the GDPR and other data protection legislation around the world have data minimisation requirements, and hefty sanctions associated with breach.
Companies need to understand the different requirements and get to grips with when and how to delete information, both from a good housekeeping perspective and to reduce the risks associated with non-compliance with data privacy and other legislation.
A dashboard view of data retention obligations in the Netherlands!
Second, a granular approach to record retention is technically unrealistic, as internal systems don’t typically allow a per country, record or data point approach to keeping data. It’s just not possible to have a retention policy that requires IT systems to implement a huge number of different retention periods which apply to different information across different countries.
The solution to this is to arm yourself with a data retention schedule that contains all retention periods applicable in the countries you operate in, in one comprehensible schedule. A good data retention schedule will set out who should keep what data, for which time period, starting when, and if it is a maximum or minimum period, all structured using the same taxonomy and with a link to the legal reference.
Now you have the facts, you can then establish your golden standard. This is your view of the value you attach to all those different retention laws applicable to your data, taking into account where your business operates, where your employees are located, the location of data and data centres, where your turnover is generated, and so on. Once you have done the value exercise, you can then land on a simple and single actionable retention period which caters for the rules in your most high value jurisdictions.
The bad news is that 100% compliance with records retention rules is probably not possible due to conflicting laws and limitations set by technology. If your golden standard is 7 years while French law has a maximum retention period of 6 years and Russia wants you to store forever, you could be compliant with all laws but France and Russia. For these countries you will need to make a risk assessment and implement a separate fix according to your view of the risk.
How can filerskeepers help?
filerskeepers reads all the laws in the world in search of records retention obligations applicable to companies. They currently cover 220+ countries! The retention periods for each country are contained in comprehensive data retention schedules in accordance with various industries and data type, and later integrated into a comprehensive data retention dashboard, and APIs, enriched with all the information companies need to determine their minimum and maximum legal retention periods in the countries relevant to them.
filerskeepers also provides Records Management Consulting Services that assist organisations in mapping the retention obligations to their own systems while also setting up a records management program, both locally and globally. Thus, cutting back hundreds of hours of consulting back to minutes.
If you are interested in finding out more, please contact filerskeepers directly to try a free data retention schedule: www.filerskeepers.co/
How aosphere can help
aosphere provide legal information subscription-based services covering specific topic areas including Rulefinder Data Privacy and Rulefinder Shareholding Disclosure. Our services are used by more than 750 organisations globally.
