Should Your Bucket Have Holes in It?
Part 1 – Things That Shoot Holes in Buckets
John Montaña
Montaña & Associates
1
Why Big Buckets?
Simplicity Smaller administrative overhead Simpler system configuration Easier for users to understand
Reality Granular identification of records may be impossible Granular system configuration may be difficult or impossible
2
Legal Systems
Two main legal systems: Common Law
U.K., U.S., and former U.K. colonies
Civil Law Most of the rest of the world
Local, unique systems China Vietnam Russia
3
Issues to Be Aware Of
Don’t assume the rules are the same everywhere Retention requirements vary Regulatory regimes familiar to U.S. or Canadian records
managers may be: Vague and unhelpful Absent
Many countries have IG/RIM laws on the books dating from the early 1800’s.
4
Retention Requirements
Can vary dramatically: Payroll – from 2 years to 45 years Tax and accounting records – from 3 years to 75 years Personnel files – from 3 years to permanent
5
Statutes of Limitation
Often much longer than U.S. or Canadian: As long as 20 or 30 years for commercial matters or general
limitations
Sometime much shorter than U.S. or Canadian As little as 2 months for HR or commercial matters
6
Media Requirements
Electronic records may not be allowed Many countries have records laws dating from the 1800’s
Electronic records may require e-signatures or authentication Laws may have specific, detailed requirements for
signatures Records that do not follow the protocol may be denied legal
effect
7
Data Privacy Laws
Often very granular
Affect a wide variety of personal data about anyone
Severely restrict use of that data
Severely limit where that data can be stored or sent
May have burdensome requirements about managing, using and manipulating the data
Very strictly enforced
8
Practical Issues
EU data privacy laws do not permit transfer of personal data to places without similar levels of protection
The U.S. does not have a similar level of protection – but there is a safe harbor rule
What about multi-national server farms?
DO NOT assume it’s automatically okay to have European data in the U.S.
9
European Privacy Rights – A Contrast
U.S. – it’s not private unless a law says it’s private
E.U. – It’s private unless authorized by law or permission
U.S. – Haphazard enforcement of privacy rights, generally you enforce them personally with litigation
E.U. – Very aggressive enforcement by many government agencies
10
Data Privacy
This may lead to surprising results, e.g., email discovery: You may have to get permission from an employee to
produce email
11
Data Privacy – A VERY Fluid Landscape
Over the past 20 years – a proliferation of local data privacy regimes Country-by-country Province-by-province Companies struggling to comply
2015 – re-write of EU data privacy rules to harmonize and simplify them A recognition that the situation has become untenable
12
E-Records -- Three General E-Records -- Three General Situations to Deal WithSituations to Deal With
Permissive law few conditions on e-commerce
Restrictive law many restrictions on e-commerce
No law Uncertainty – is e-commerce legal, are transactions
enforceable?
13
The Overarching ProblemThe Overarching Problem
U.S.-centric systems may not comply with requirements in foreign jurisdictions
Within the US, there may still be inconsistent requirements
Foreign requirements may be burdensome in the U.S.
Differing levels of granularity for different records in different countries create severe problems
14
The LandscapeThe Landscape
Most of Europe: No global e-records law – electronic records only in
particular situations Images may require authentication and digital signatures Particular formats or technical details may be specified in
law Records not kept in conformance to law may not be
admissible in legal proceedings
15
The Rest of the WorldThe Rest of the World
By default, the law prefers: paper records hard copy wet signatures
Many countries have laws on the books requiring: paper records wet signatures
Unless an e-commerce law explicitly authorizes it, a technology or process may not be legal
16
An ExampleAn Example
Kuwait has no e-commerce or e-records law, but –
It’s a major, first world financial center
Electronic transactions are common, but: Are effectively unenforceable – courts routinely deny
admissibility to e-records
Lost lawsuits are a cost of doing business
17
Another ExampleAnother Example
Imaged accounting invoices Legal in Switzerland, but:
Each image must have a digital signature attesting to accuracy and authenticity
No signature, no admissibility in tax audits Digital signature service bureaus are a cost of doing
business
18
Quasi-Legal IssuesQuasi-Legal Issues
An auditor or judge may want paper regardless of the law You may be stuck regardless of the merits You can’t afford to be on their bad side A lawsuit would take years, and might be futile
19
Location Restrictions
Tax and accounting records may have to be kept in the country of origin
If stored electronically, the server or media may have to be physically located in the country
20
Maximum Retention Periods
Increasingly personal data is governed by maximum retention periods
Keeping records longer is a violation of law
Retention periods may pose a challenge in tension with legally required minimum periods
Maximum retention may only affect part of a record
21
Practical Issues
ERP and EDM systems – e.g., SAP, Peoplesoft
Maximum periods are often granular, often very short
ERP and EDM systems make purging difficult, buckets very big
How do you make such a system compliant?
22
Vague or Absent Laws
Laws may have grave consequences, but give little or no records guidance – e.g., Sarbanes-Oxley
Some countries may have no developed regulatory regime in an area There is a complete absence of regulatory requirements But there will be civil liability And there may be very long statutes of limitation
23
Developing Regulatory Regimes
Countries that formerly had no records laws in an area develop a regime rapidly HR OSH Environmental
24
Multinational Regulatory Regimes
European Union
Mercosur
ASEAN
CARICOM
Increasing, these replace or supplement national law
25
The Odd Case of Russia
Master national retention schedule All records, business and personal
The Russian State Archives can require: Permission prior to records destruction Assessment of expired business records Accession of them to state archives
All at your expense
Many, many permanent or very long retention periods
What’s the Upshot of All of This?What’s the Upshot of All of This?
26
What’s the Upshot of All of This?
Big Buckets are about uniformity and consistency
Big buckets assume that the rules are the same everywhere, or at least can be harmonized
In a large scale environment, that harmonization becomes a challenge
27
Inevitable Consequences of Big Buckets
Long – sometimes very long - retention periods Longest legal requirement Longest risk management consideration Longest business requirement Longest fudge factor
Very conservative event-based rules e.g., how long could your longest contract be active before
the retention period runs?
28
What do Do?
Stay Tuned for Part 2
29
QuestionsQuestions
??
30