Here are a few frequently asked questions about records management:
General about data and records retention
A records retention period is a legal rule that tells you when and for how long to keep a certain document or piece of information. A records retention period can be a maximum retention period, telling you when you are no longer allowed to keep a record. When the maximum period has ended you should destroy that record. A minimum records retention period tells you when you should keep a record at a minimum. When the record retention period has ended you may still keep the record but you no longer have to (unless there is another retention law that tells you to keep or destroy the record).
A record is very broad concept to describe “information”. Records are virtually any piece of information which your company or organization creates, records and stores in some way. This can be something as old fashioned as a printed or written hardcopy document. It can also be an electronic document or a data point in a database. It depends on what a law or regulation defines as a record.
The physical form or characteristic of a record usually does not matter, unless there is a law somewhere that says something about the form in which you need to keep information. “Hardcopy” has been the preferred option for a long time, cheeky lawmakers! But nowadays these kind of form requirements are often traded for rules relating to integrity of documents. And as the world is becoming digital, so should records retention management, so we believe!
Let’s ask the dictionary to answer this one:
- Data: The quantities, characters, or symbols on which operations are performed by a computer, which may be stored and transmitted in the form of electrical signals and recorded on magnetic, optical, or mechanical recording media.
- Document: A piece of written, printed, or electronic matter that provides information or evidence or that serves as an official record.
Well, that still sounds complicated right. We mean that data is any fragment of information available on your laptop, tablet, mobile phone or any other device. For example: names, contact details, any words or numbers, statistics, logs and metadata. And also, any file, document, excel, powerpoint, application, note, song, picture or video. Every little dot of information is data.
A document is a collection of sorted data on a data carrier (for example, your laptops harddrive or USB stick or, even a piece of paper). Pretty much any word document, powerpoint, note, and email available on your laptop. So, if you print any data, you sort it on a piece of paper and voilà, you got yourself a document.
O, and if you may wonder: our data retention schedules apply to both documents and data.
Well you don’t have to care. It is just that your client, supplier, book keeper, accountant, lawyer, notary, controller, auditor and many governmental officials care. there are literally thousands of retention rules that require you to keep or destroy records. It is a matter of good corporate housekeeping. If you know what to keep and what to throw out you will be more in control. You will also run a smaller risk of trouble.
What would you tell the German tax auditor if you fail to keep your tax records for 10 years? Of what do you tell the Irish Data Protection Commissioner if you decided to store recruitment data for 5 years? Are you going to tell your customer that you accidentally deleted the contract?
Or let’s say it in bullets, breaking retention rules could lead to:
- Statutory fines and penalties (some being criminal in nature);
- Legal actions and a risk of forced settlement resulting because of the cost of compliance with e-discovery requests for old emails or other documents;
- Lost cases resulting from absent email and other business records (yes there is caselaw); and
- Business losses from an insufficient archiving and recovery process.
To us data retention is a very smart thing to do. Something to care about. A life saver in moments of truth, when it becomes bet the company. Because, well you know, filers… keepers…
Want some proof? Please read this whitepaper: https://www.sans.org/reading-room/whitepapers/compliance/requirements-record-keeping-document-destruction-digital-world-2063
With a filerskeepers data retention schedule you will never be stuck in the maze of data retention again! A data retention schedule contains all retention periods applicable in a country in one comprehensible schedule.
filerskeepers data retention schedules tell you who should keep what data, for which time period, starting when, and if it is a maximum or minimum period, all with a link to the legal reference.
Take a look in our schedule store to see which ones you can buy and download right now. Also, try one for free and download our free sample data retention schedule. If you are missing the data retention schedule for your country, please order it or contact us. We will have any data retention schedule in your mailbox under 2 weeks.
Well, without a data retention schedule your company will probably be storing data until the end of time. No, filerskeepers really believes that you need a comprehensive and up to date data retention schedule. But a schedule alone will not cut it. You will need to actually implement the data retention terms in your IT-systems.
Now it gets technical. A retention trigger is the moment when a law tells you when a maximum or minimum retention period starts running. Easier said, it tells you when you should officially start storing the document. A retention trigger could be related to the actual creation or use of a record, say:
- The moment of creation of a record, or
- The date of last activity or update
A retention period can also start on a fixed time in the year, say:
- Close of the calendar year in which a record was created, or
- Close of the tax year in which a record was created
A common records retention trigger can also be an action, say:
- The moment your company starts a litigation,
- The moment your company issues a tax hold notice, or
- The moment your company terminates a contract
When the retention period has been triggered, the law defines for how long you will need to keep the record counting from the trigger moment. So this could be the trigger date + one year (or like normal people would say one year after the moment your company issues a tax hold notice).
Easy breezy you would say, right?
Well that depends on the law of course.
Well that is quite easy. Almost all countries have both minimum and maximum retention periods for certain records. A minimum retention period tells you for how long you should keep data at a minimum. Say the bookkeeping requirement in the Netherlands is minimally 7 years. You could keep your books for longer, but that is not required.
A maximum retention period tells you when to destroy a certain record. When this period has lapsed you are really not supposed to have the record anymore. It is time to say goodbye to it. In some countries, though, there are exceptions when you issue a “legal hold notice” or a “tax hold notice”. This will suspend the need to delete a record in view of a possible litigation, tax audit or investigation. Why do we have maximum retention periods? Well because that is to usually to protect the privacy of a person. Data protection laws often forbid keeping data for longer than necessary for the purposes for which the data were collected.
Even if a country has no minimum retention period for a certain commercial record, advisors often recommend to keep these records until governmental regulators can no longer enforce. And if a record is relevant for your corporate memory advisors usually tell you to retain these even permanently. All these retention periods are included in our record retention schedules.
Unfortunately records retention laws vary from country to country. Governments generally focus on international relations and world peace. They do not talk about records retention. Why? Because this is a matter of how the court systems, government agencies and criminal prosecution of a country work. And that is exactly something that countries want to decide on by themselves, something to do with sovereignty.
Consider this, the minimum retention periods with regard to book keeping vary from five years in Poland, six years in Germany, Finland and Spain, seven years in Austria, Sweden and the Netherlands, eight years in Hungary and ten years in Belgium, France, Italy and Romania (and for certain records in Germany, Switzerland and Finland). If your company would be located in all of these countries we would recommend you store your books for at least 10 years and you will be fine in any of these countries.
Funny you should ask. A record has been disposed of when it is really gone and you cannot access it anymore. So no copies, no cache and no backup tapes are available and you have no means to reconstruct the record. EU data protection regulators call it “irreversible deletion”. So get your shredder, burner, eraser out and destroy those documents. It is not sad, it is part of records retention (and life).
There is no official organisation where you could turn to to ask if it is ok to delete your data. Maybe it would be good to have a good record retention policy in place. A policy will allow you to check if it is the right to destroy your data. Why don’t you have a look in our schedule store?
Privacy and data retention
The EU General Data Protection Regulation (GDPR) is the new data protection law of the EU and probably a game changer for data retention. It will be applicable on 25 May 2018. The GDPR may very well one of those laws that will rock the entire world. It is already known now as the most lobbied piece of legislation. It is generally considered as the killer of conversion ratios, small and medium enterprises (SMEs) and innovation within the EU.
Data is not protected by ownership or intellectual property rights. That does not mean your company can use data however it pleases. The collection, use and handling (“processing”) of personal data is regulated by data privacy laws, such as the GDPR. Personal data includes all data that relates to an individual. Personal data is in all business processes, all systems and facets of business life. You can imagine how impactful the GDPR is. This new law knows many rules around security, transparency requirements, privacy impact assessments, rights of individuals, international data flows and of course… data retention. You even need to keep a register of all you data processings! And if you fail to comply? You risk a hefty fine of EUR 20 million or 4% of you annual turnover, ouch! Feel safe because you are not located in the EU? Think again. The GDPR has a very broad extraterritorial applicability. Basically, if you have a global website or service, chances are big that the GDPR will apply and you will need to abide by these rules.
We are more optimistic and believe that the GDPR also harvests many wonderful business opportunities. The EU privacy law works very disciplining in ways you would probably not have imagined:
- The GDPR requires you to ask the questions you always should have asked yourself in the first place before starting a new project (why are we doing this project, how, for how long, who is responsible, how do we inform external stakeholders).
- Get in control of your cyber and data security strategy. The GDPR contains serious data security and data breach requirements. Plus your data inventory will teach you where your real risk is in terms of sensitivity of you personal data. This will allow your IT security departments to better assess risk and make better investment decisions.
- Get in control of business processes. The GDPR requires to get a hold on data flows and register them. As personal data flows through your business processes, you will get a much better understanding of the processes that make up your company.
- Get in control of data pooling. When you know where your data is at, your marketing and analytics department will better understand how to make use of the data. They will be able to see opportunities that they never could have imagined were possible.
- Get (a bit) more in control of legal spend. With the GDPR you will most likely not need to ask for
Did you know that the full reference of the GDPR is the “Regulation 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC?” Long name right?
The English version of the EU data privacy law can be found here: ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
The GDPR in the other European languages can be found here eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX%3A32016R0679.
Want to learn more about the GDPR? Please turn to our friends of the IAPP.
Privacy laws and data retention closely relate to each other. Often privacy laws impose on companies that they justify the storage of data and to include an end date for the data life cycle. After the end date lapses personal data will need to get deleted.
Specifically, the GDPR says about data retention: “personal data may not be kept in a form which permits identification of data subjects for any longer than necessary for the purposes for which the personal data are processed“.
Based on this very generic rule quite some data protection authorities have issued guidelines with regard to certain categories of data (e.g. recruitment data or health data). Where data protection authorities have issued such guidelines we include them in our retention schedules.
However, where data protection authorities have not given specific guidance, it will up for companies to make their own risk assessment. This can be quite a daunting task. It means that companies should implement a data retention period per purpose for which it processes personal data. So how to determine what is ‘necessary’? Companies will need to ask themselves: what is the shortest data retention period my company could implement before it gets into trouble? Beware, the European data protection authorities may ask to provide examples to illustrate!
And this exactly where our service comes to play. filerskeepers helps companies decide which retention period to choose per system or document category. We do this by providing our customers with insight into the legal maximum and minimum retention periods applicable in the countries relevant to them. This helps companies to justify why they are storing data (“for compliance with income tax rules”) and for how long (“for 10 years from the date following the end of the book year”).
We wish it was that easy. The General Data Protection Regulation (GDPR) does not set any specific retention period. Instead, the General Data Protection Regulation (GDPR) urges your company to determine how long it really needs personal data for a specific business process. And set the data retention period there.
To be precise, the General Data Protection Regulation (GDPR) says about data retention: “personal data may not be kept in a form which permits identification of data subjects for any longer than necessary for the purposes for which the personal data are processed“. That is quite a daunting task. It means that your company should implement a data retention period per purpose for which it processes personal data. How can your company can determine what is ‘necessary’? Ask yourself: what is the shortest data retention period your company could implement before it gets into trouble? Beware, the European data protection authorities will ask you to provide examples to illustrate!