Employers often want to have a data retention policy which works for all of their international operations. We look at the challenges with this approach and how to make it work in practice.
Following the introduction of the European general data protection regulation (“GDPR”) in 2016, many HR professionals will be familiar with the message that “you can only keep data for as long as you need it”. This same principle also now lives on in the UK, post-Brexit.
But why do businesses even care? To make some obvious points:
In brief, the GDPR (including the UK GDPR) only allows data retention for so long as it is reasonably necessary to retain it.
The perpetual problem is that the GDPR doesn’t provide any more specific guidance than that.
This is not unusual when it comes to the GDPR, which often sets out key principles to be applied across all of Europe but does not provide any guidance on the finer details.
The flip side of GDPR ambiguity is that it gives local regulators and (in many cases) employers themselves some discretion in determining what data should be retained and for how long (subject to any specific country laws relating to local retention requirements).
In the UK, for example, our regulator tends to take a light touch and mostly defers to employers provided they have taken a sensible approach to things. Generally, as long as what you decide is “reasonable” and you can justify it, and you have documented your thinking, you are unlikely to get into trouble.
The position across Europe is often similar, but it does vary, and some local regulators are stricter than others.
Some employers prefer granular policies, allocating separate retention policies to different categories of data in each jurisdiction, to try and achieve the ‘gold’ standard of compliance. This approach will work well where retention can be automated, but for many employers it can be difficult to achieve.
Alternatively, other businesses prefer to put a simpler retention policy in place with a handful of “buckets” of data and retention periods, rather than a complicated matrix that they have no chance of being able to comply with in reality. This is not a ‘gold’ standard GDPR approach but may simply be more realistic.
Settling on a data retention strategy becomes trickier where a business operates in multiple countries. You would be forgiven from thinking that GDPR means that all retention policies fit neatly together but as noted above, sadly this is not the case.
To take one example, in Bulgaria, employment contracts and any amendments/termination technically need to be kept for 50 (yes, fifty) years after termination of employment. A 50-year retention policy is likely to be a very obvious red-flag in other jurisdictions.
International “one size fits all” retention policies are normally impossible to achieve with 100% perfection, but businesses can often settle on a suitable risk-balanced approach that is as close to one-size-fits-all as can be hoped for. As you would expect, the more countries a business is trying to cover, the more challenging this can be.
Our top tips are as follows:
If you’d like to discuss international data retention or data privacy more generally or for a copy of our UK or Irish mandatory retention periods, please get in touch with Deborah Margolis, Darren Isaacs or your usual GQ|Littler contact.