Why do I need a global records retention policy?
A lot of our customers ask us why they should care about records retention.Well you don’t have to care. It is just that your client, supplier, book keeper, accountant,
lawyer, notary, controller, auditor and many governmental officials care. There are literally thousands of retention rules that require you to keep or destroy records. It is a matter of good corporate housekeeping. If you know what to keep and what to throw out, you will be more in control. You will also run a smaller risk of trouble. Your stakeholders want you to have a records retention policy.
So what would you tell the German tax auditor if you fail to keep your tax records for 10 years? Of what do you tell the Irish Data Protection Commissioner if you decided to store recruitment data for 5 years? How are you going to tell your customer that you accidentally deleted the contract?
Or let’s say it in bullets, breaking retention rules could lead to all kinds of nasty surprises:
- Statutory fines and penalties (some even criminal in nature);
- Legal actions and a risk of forced settlement resulting because of the cost of compliance with e-discovery requests for old emails or other documents;
- Lost cases resulting from absent email and other lost business records (yes there is caselaw); and
- A waste of resources from high storage costs or an insufficient archiving and recovery process.
To us data retention is a very smart thing to do. Something to care about. A life saver in moments of truth, when it becomes bet the company. Because, well you know, filers… keepers…
Want some proof? Please read this whitepaper.
What to do with all those retention periods from all those countries?
Then again, records retention can be very, very difficult and 100% compliance is often impossible. Per country, hundreds of record retention rules could apply to your business. Only China is good for over 500 retention periods. Retention rules are often conflicting. What would you do if payroll records should be stored at least 50 years in Poland and Romania while in France those same payroll records should be deleted after 6 years? Compliance with records retention rules in one country can lead to non-compliance or loss of litigation position in another.
There is at least one commonality in most countries: keeping records forever is generally just not allowed. So companies will have to make sense of all those retention periods applying to their data around the world. Here comes the tricky part: a granular approach to records retention is probably not technically possible as most IT-systems or cloud tools do not allow a per country, record or data point approach to keeping data. It is basically the choice between keep forever or delete within one generic retention period. As a result, many companies implement simple custom tailored retention periods to ensure compliance with most record retention requirements instead of all. We call these optimal retention choices “golden standards”. These golden standards are often written down in a neatly structured global records retention policy. Below you will find the 8 steps to create your perfect records retention policy.
8 steps to create a perfect global records retention policy
A good global records retention policy contains all retention periods applicable in your organization. It tells you who is accountable for compliance with the policy, who manages the policy, who should keep what data, for which time period, starting when, and if it is a maximum or minimum period, and preferably all with a link to the legal reference. Ohw, and it tells you how to destroy data. Let’s get started:
- Determine your retention strategy
First decide: are you a data hoarder or a strategic litigator? Basically, data retention is not an exact science and it very much depends on your geographic scope, the industry you are in and the choices that your company makes with regard to the use of data. Geography can matter for example if you are in China, where the laws tell you to keep some data forever while in the US or Brazil you may risk ediscovery procedures that often inspire companies to keep their data a bit shorter. Your industry also matters. For example: telecom operators are often regulated to keep data for a shorter period of time compared to companies dealing with nuclear waste. Often times it just depends on the business model of a certain company and the use case it can imagine for its data. In that case, a retention policy focused on data use maximalization is often the preference.
In other words: do you want to have destroyed your information before that ediscovery subpoena comes in? Or are you just too attached to your data because you are data driven. Whatever it is, plan your strategy. It will help you to choose the most optimal golden standard (see step 4 below).
- Determine your governance
Who is accountable for your retention policy? Will it be the CIO or Chief Privacy Officer (CPO), or would you like to go higher up in the tree, say CEO or CFO? The more you care about your data, the higher to place accountability. Yes, it is just that important. Even if you are not data driven in the 2018 kind of sense, records retention rules have impact on your core business processes. And who better than the CEO or CFO to make risk decisions about your core business operations right?
Which other people will need to be involved? Legal and finance of course, they will need to be able to advise on changing rules and issue legal hold or tax hold notices which are aimed at ensuring that data are kept in the event of an investigation or litigation. And don’t forget about your privacy function who is there to ensure that the business does not end up in the arms of the EU data protection authorities.
- Determine what deletion means
What happens after sign delete has been given? Deletion means destroying in the pure sense: a record has been disposed of when it is really gone and you cannot access it anymore. No copies, no cache and no backup tapes are available and you have no means to reconstruct the record. EU data protection regulators call it “irreversible deletion”. Dust off your shredder, burner, eraser and destroy those documents. It is not sad, it is part of records retention (and life).
However, please do not start stressing our right away, there are also soft-deletion options or restricted archives which you can consider. Soft-deletion means that data are ‘fake’ deleted first. In case someone misses the data dearly, you can still retrieve it. The same goes with restricted archives, with the exception that an archive often serve a specific purpose (e.g. historical purposes or litigations). Meaning that you should not use or access the data outside of the archive’s purpose. In any case, soft-deletion and restricted archives are not the same as deleting data. It does improve your story-line when facing a regulator or judge. In any case, do not forget to add your plan with regard to deleting data to your global records retention policy.
- Don’t miss out on any important categories
When choosing your important retention categories, take a close look at your data. What data do you have? What are your core business processes, and what data are used by them? We have a few ideas to get you started, every company has a few must have business processes:
- Accounting records
- Tax records
- HR records
- Health and safety records
- Environmental records
- Personal data and data privacy
And don’t forget about your litigations. Statutory limitation periods (the term within someone can file a claim) are often very good guidance on what and how long you need to store data. When you have included these, it is all about the industry related storage terms that matter. In which industry are you operating:
- Financial service
- Critical infrastructure
- Professional services
It is all about keeping it simple. There are so many retention periods in the world that the bare minimum is often actually good enough. Limit the number of categories and per category limit the number of retention periods (if possible).
- Establish your golden standards
How to determine your golden standard? Now comes the difficult part from a more political and international relations perspective. What value do you attach to all those different retention laws applicable to your data? It may be simpler, than you think: determine the important countries, choose a retention trigger and a strategy to find your optimal retention period. Make sure to achieve compliance in the most countries as feasible – within your company’s technical limits.
Geography: first identify in which countries you are based. Then attach a value to these countries. How do the countries in which you are based rank in terms of:
- main establishment and regional headquarters
- number of employees
- location of data and data centers
Funny thought: some companies will deem all laws equally important and do not want to rank countries at all.
Choose a trigger: to be able to compare retention periods, you will need to understand the different triggers that mark the start of the retention period (read more about retention triggers), think of:
- Moment of creation of a document
- Close of calendar year in which a document was created
- Close of tax year in which a document was created
- Moment of termination of a contract
- Date of last activity
When you know when the retention period first start running in a certain country it will help you to determine exactly how long these retention terms are in practice (5 years after creation of a document will mean a much shorter retention period than 5 years after the termination of a contract).
Pick your desired retention length: now that you know which laws matter and what the different triggers are, you can calculate the optimal retention period, by looking at:
- The various minimum retention periods applicable to the multinational;
- The various maximum retention periods applicable to the multinational.
Practical note: some multinationals will give precedence over minimum retention periods rather than maximum retention periods. Now mix and match and you will have your desired trigger and retention duration based on the laws that matter to you!
- Create actionable retention periods
The number one problem with retention policies is that IT cannot implement an unlimited number of retention periods. That is why we insist on keeping it simple and actionable. This will allow you to actually implement the retention period. No vague language such as “current +10 years” but “10 years from the date on which the book year ended”. Also, be clear on what should be stored. No “user data” if the law only requires you to store an “IP-address and time of log-in”. This will allow you to instruct your IT team to actually implement the retention period.
- Ask for feedback from data users
Although successful records retention policies are driven from the top down and not bottom up, it is important that you test your golden standards with the business. Stakeholder management is key. There may very well be a good reason why some departments keep data longer or delete it a bit sooner. Remember, it is the business that is responsible for its own compliance. The business will need to co-operate with the retention policy. Partner with department heads to gain their support for a global retention policy, and ensure their own efforts are leveraged as part of the broader policy, is essential. And in a world of agile and scrum, feedback just makes us stronger. Even records retention.
- Never forget about the law (deal with residual risks)
The bad news of this story is that 100% compliance with records retention rules is probably not possible due to conflicting laws and limitations set by technology. If your golden standard is 7 years while French law has a maximum retention period of 6 years and Russia wants you to store forever, you could be compliant with all laws but France and Russia. For these countries you will need to make a risk assessment and fix it (or not but that is up to you). This goes for all outliers from the golden standard, think of:
- A minimum retention period that is longer than the golden standard;
- A maximum retention period that is shorter than the golden standard.
Then assess how these risks can be classified in terms of non-compliance and materialization of such risk. Also, please accept that the laws of the world are constantly changing. What applies today may not tomorrow.
Finally, never forget about the GDPR (and all other non-EU data protection laws). Data protection laws tell companies never to store personal data longer than necessary for the purpose for which the data have been collected or used. As a result, virtually every minimum retention period relating to a piece of information containing personal data becomes a maximum retention period (read more about minimum vs maximum retention periods).
That is it. If you use these principles, you are on your way to build a future proof and compliant records retention policy. And remember, the saying goes you better use it before you loose it! And for more information and our records retention schedules please check www.filerskeepers.co.