Europe’s mid-size businesses could be exposing themselves to significant data protection fines by keeping too much information for too long, according to new research from storage and information management company Iron Mountain. The study found that over 35 per cent of firms across Europe admit to keeping all their employee, customer and financial information ‘in case it is needed’.
European data retention guidelines are complex and vary widely between member states. While the average retention period for information is around six years, it can range from three months for customer complaints to more than 20 years for secrecy or patent agreements. Furthermore, these laws change frequently.
In terms of industry sector, manufacturing and engineering firms are the worst performers, with around half (45 per cent) holding on to everything. They are also around twice as likely (at 10 per cent) as most other sectors to have no company-wide document retention policy in place. Surprisingly, in view of the sensitivity of the data handled, the financial services sector is not far behind, with 39 per cent keeping everything and 9 per cent having no company-wide policy.
Iron Mountain and De Brauw Blackstone Westbroek have published a Document Retention Guide covering Europe’s 15 main jurisdictions to help firms introduce compliant retention policies. The guide enables firms to understand the types of documents they hold, the legislation that affects them, and offers practical tips on document retention.
“Information is the life blood of a business, but taking care of it from a legal perspective can be a major headache for firms, particularly those with operations across Europe,” said Christian Toon, head of information risk at Iron Mountain. “We have drawn on our experience gained working with some of the largest pan-European firms to understand the main compliance challenges companies face. In an age of big data, an empowered customer base and an increasingly litigious business environment, companies of all sizes need to have robust records retention policies. This guide offers practical help to all those firms who are simply hanging on to everything.”
Lokke Moerel, ICT partner at De Brauw, Blackstone, Westbroek and professor Global ICT law at Tilburg University, explained the problem: “Multinationals find themselves in a paradoxical situation. On the one hand, they face growing volumes of information and spiralling storage costs; yet, on the other, they feel compelled to hoard their information to avoid falling foul of complex and changing retention laws. Ironically, it is just as dangerous to hold onto something for too long – such as personal data or unsuccessful job applications – as it is to destroy it too soon – such as health and safety records or email correspondence that could be required for a lawsuit. With frequent changes to document retention laws and cross-border differences, it is hardly surprising that many firms don’t know where to begin.”
“A data breach is every firm’s nightmare,” concluded Christian Toon at Iron Mountain. “Every organisation has a duty to its employees, shareholders, suppliers and customers to hold information in a way that is secure and responsible. Achieving this can be complex and time-consuming. The publication of the new Retention Guide will help many firms to meet this challenge.”