Employers often want to have a data retention policy which works for all of their international operations. We look at the challenges with this approach and how to make it work in practice.
Why bother with data retention policies?
Following the introduction of the European general data protection regulation (“GDPR”) in 2016, many HR professionals will be familiar with the message that “you can only keep data for as long as you need it”. This same principle also now lives on in the UK, post-Brexit.
But why do businesses even care? To make some obvious points:
- Hanging on to data for too long can result in fines or penalties from local data protection regulators (with levels of enforcement varying from jurisdiction to jurisdiction). It’s also a drain on data storage resources.
- On the other hand, getting rid of data too quickly, might mean that you are not complying with other local legal requirements (e.g. in the UK, maternity records need to be kept for three years after the end of the tax year in which the maternity pay period ends) or are unable to deal properly with problems that may arise after the data is destroyed (e.g. litigation).
What does the GDPR say?
In brief, the GDPR (including the UK GDPR) only allows data retention for so long as it is reasonably necessary to retain it.
The perpetual problem is that the GDPR doesn’t provide any more specific guidance than that.
This is not unusual when it comes to the GDPR, which often sets out key principles to be applied across all of Europe but does not provide any guidance on the finer details.
The flip side of GDPR ambiguity is that it gives local regulators and (in many cases) employers themselves some discretion in determining what data should be retained and for how long (subject to any specific country laws relating to local retention requirements).
In the UK, for example, our regulator tends to take a light touch and mostly defers to employers provided they have taken a sensible approach to things. Generally, as long as what you decide is “reasonable” and you can justify it, and you have documented your thinking, you are unlikely to get into trouble.
The position across Europe is often similar, but it does vary, and some local regulators are stricter than others.
How do employers normally decide on their data retention policies?
Some employers prefer granular policies, allocating separate retention policies to different categories of data in each jurisdiction, to try and achieve the ‘gold’ standard of compliance. This approach will work well where retention can be automated, but for many employers it can be difficult to achieve.
Alternatively, other businesses prefer to put a simpler retention policy in place with a handful of “buckets” of data and retention periods, rather than a complicated matrix that they have no chance of being able to comply with in reality. This is not a ‘gold’ standard GDPR approach but may simply be more realistic.
How does that work internationally?
Settling on a data retention strategy becomes trickier where a business operates in multiple countries. You would be forgiven from thinking that GDPR means that all retention policies fit neatly together but as noted above, sadly this is not the case.
To take one example, in Bulgaria, employment contracts and any amendments/termination technically need to be kept for 50 (yes, fifty) years after termination of employment. A 50-year retention policy is likely to be a very obvious red-flag in other jurisdictions.
Can international retention policies work?
International “one size fits all” retention policies are normally impossible to achieve with 100% perfection, but businesses can often settle on a suitable risk-balanced approach that is as close to one-size-fits-all as can be hoped for. As you would expect, the more countries a business is trying to cover, the more challenging this can be.
Our top tips are as follows:
- Be clear on what data you hold and what is required for your business (for example, do you have regulatory requirements, or group level reporting requirements?).
- Liaise with your teams on the ground to understand how you will comply with your retention policies in practice.
- Understand local retention legal requirements, market practice and penalties for non-compliance.
- Consider how active the local regulators are and whether there have been recent fines for non-compliance.
- Understand where most of your employees are located. If most of your employees are in France and only a handful in the UK, you may prefer to place a stronger focus on French retention periods.
If you’d like to discuss international data retention or data privacy more generally or for a copy of our UK or Irish mandatory retention periods, please get in touch with Deborah Margolis, Darren Isaacs or your usual GQ|Littler contact.