Should Your Bucket Have Holes in It?

Part 1 – Things That Shoot Holes in Buckets

John Montaña

Montaña & Associates

1

Why Big Buckets?

Simplicity Smaller administrative overhead Simpler system configuration Easier for users to understand

Reality Granular identification of records may be impossible Granular system configuration may be difficult or impossible

2

Legal Systems

Two main legal systems: Common Law

U.K., U.S., and former U.K. colonies

Civil Law Most of the rest of the world

Local, unique systems China Vietnam Russia

3

Issues to Be Aware Of

Don’t assume the rules are the same everywhere Retention requirements vary Regulatory regimes familiar to U.S. or Canadian records

managers may be: Vague and unhelpful Absent

Many countries have IG/RIM laws on the books dating from the early 1800’s.

4

Retention Requirements

Can vary dramatically: Payroll – from 2 years to 45 years Tax and accounting records – from 3 years to 75 years Personnel files – from 3 years to permanent

5

Statutes of Limitation

Often much longer than U.S. or Canadian: As long as 20 or 30 years for commercial matters or general

limitations

Sometime much shorter than U.S. or Canadian As little as 2 months for HR or commercial matters

6

Media Requirements

Electronic records may not be allowed Many countries have records laws dating from the 1800’s

Electronic records may require e-signatures or authentication Laws may have specific, detailed requirements for

signatures Records that do not follow the protocol may be denied legal

effect

7

Data Privacy Laws

Often very granular

Affect a wide variety of personal data about anyone

Severely restrict use of that data

Severely limit where that data can be stored or sent

May have burdensome requirements about managing, using and manipulating the data

Very strictly enforced

8

Practical Issues

EU data privacy laws do not permit transfer of personal data to places without similar levels of protection

The U.S. does not have a similar level of protection – but there is a safe harbor rule

What about multi-national server farms?

DO NOT assume it’s automatically okay to have European data in the U.S.

9

European Privacy Rights – A Contrast

U.S. – it’s not private unless a law says it’s private

E.U. – It’s private unless authorized by law or permission

U.S. – Haphazard enforcement of privacy rights, generally you enforce them personally with litigation

E.U. – Very aggressive enforcement by many government agencies

10

Data Privacy

This may lead to surprising results, e.g., email discovery: You may have to get permission from an employee to

produce email

11

Data Privacy – A VERY Fluid Landscape

Over the past 20 years – a proliferation of local data privacy regimes Country-by-country Province-by-province Companies struggling to comply

2015 – re-write of EU data privacy rules to harmonize and simplify them A recognition that the situation has become untenable

12

E-Records -- Three General E-Records -- Three General Situations to Deal WithSituations to Deal With

Permissive law few conditions on e-commerce

Restrictive law many restrictions on e-commerce

No law Uncertainty – is e-commerce legal, are transactions

enforceable?

13

The Overarching ProblemThe Overarching Problem

U.S.-centric systems may not comply with requirements in foreign jurisdictions

Within the US, there may still be inconsistent requirements

Foreign requirements may be burdensome in the U.S.

Differing levels of granularity for different records in different countries create severe problems

14

The LandscapeThe Landscape

Most of Europe: No global e-records law – electronic records only in

particular situations Images may require authentication and digital signatures Particular formats or technical details may be specified in

law Records not kept in conformance to law may not be

admissible in legal proceedings

15

The Rest of the WorldThe Rest of the World

By default, the law prefers: paper records hard copy wet signatures

Many countries have laws on the books requiring: paper records wet signatures

Unless an e-commerce law explicitly authorizes it, a technology or process may not be legal

16

An ExampleAn Example

Kuwait has no e-commerce or e-records law, but –

It’s a major, first world financial center

Electronic transactions are common, but: Are effectively unenforceable – courts routinely deny

admissibility to e-records

Lost lawsuits are a cost of doing business

17

Another ExampleAnother Example

Imaged accounting invoices Legal in Switzerland, but:

Each image must have a digital signature attesting to accuracy and authenticity

No signature, no admissibility in tax audits Digital signature service bureaus are a cost of doing

business

18

Quasi-Legal IssuesQuasi-Legal Issues

An auditor or judge may want paper regardless of the law You may be stuck regardless of the merits You can’t afford to be on their bad side A lawsuit would take years, and might be futile

19

Location Restrictions

Tax and accounting records may have to be kept in the country of origin

If stored electronically, the server or media may have to be physically located in the country

20

Maximum Retention Periods

Increasingly personal data is governed by maximum retention periods

Keeping records longer is a violation of law

Retention periods may pose a challenge in tension with legally required minimum periods

Maximum retention may only affect part of a record

21

Practical Issues

ERP and EDM systems – e.g., SAP, Peoplesoft

Maximum periods are often granular, often very short

ERP and EDM systems make purging difficult, buckets very big

How do you make such a system compliant?

22

Vague or Absent Laws

Laws may have grave consequences, but give little or no records guidance – e.g., Sarbanes-Oxley

Some countries may have no developed regulatory regime in an area There is a complete absence of regulatory requirements But there will be civil liability And there may be very long statutes of limitation

23

Developing Regulatory Regimes

Countries that formerly had no records laws in an area develop a regime rapidly HR OSH Environmental

24

Multinational Regulatory Regimes

European Union

Mercosur

ASEAN

CARICOM

Increasing, these replace or supplement national law

25

The Odd Case of Russia

Master national retention schedule All records, business and personal

The Russian State Archives can require: Permission prior to records destruction Assessment of expired business records Accession of them to state archives

All at your expense

Many, many permanent or very long retention periods

What’s the Upshot of All of This?What’s the Upshot of All of This?

26

What’s the Upshot of All of This?

Big Buckets are about uniformity and consistency

Big buckets assume that the rules are the same everywhere, or at least can be harmonized

In a large scale environment, that harmonization becomes a challenge

27

Inevitable Consequences of Big Buckets

Long – sometimes very long - retention periods Longest legal requirement Longest risk management consideration Longest business requirement Longest fudge factor

Very conservative event-based rules e.g., how long could your longest contract be active before

the retention period runs?

28

What do Do?

Stay Tuned for Part 2

29

QuestionsQuestions

??

30