Severe fines for firms holding on to information

Around 40% of European mid-market companies could be subjected to steep fines following the introduction of the EU General Data Protection Regulation (GDPR), which will impose restrictions on what data firms can store and for how long.

According to information management company Iron Mountain, four-in-ten mid-market companies hold on to almost every record regardless of official retention guidelines.

Mostly companies retain this information because they want to exploit it for possible future value (89%) or to provide a safety net in what is becoming an increasingly complex regulatory landscape (87%). Many are doing so to ensure they can comply with e-discovery requests (42%).

However, with Article 23 of the new GDPR stating that retention periods for all kinds of information – from emails and instant messages to proposals and contracts – need to be factored in from the moment the information is created, the risks and potential penalties associated with an unstructured approach to retention could prove severe.

Failure to comply with the incoming legislation could lead to fines of up to 4% of annual global turnover or up to EUR 20 million. The higher of the two figures will apply.

Iron Mountain Europe director of professional services Gavin Siggers said: “Knowing what information to hold on to and for how long is complicated for many European organisations, with different rules for different kinds of information in different countries…

“Unsurprisingly, many companies have responded by simply keeping everything. However, particularly in the case of personally identifiable information, this cannot continue. From 2018, businesses will need to prove that their information is created with a built-in end of life. Achieving this will require organisations large and small to know what they have, where it is, and how long they are entitled to hold on to it. We would advise businesses to seek expert guidance.”