Once GDPR kicks in, a bunch of mid-market companies will have their heads in their hands in shock, Iron Mountain claims. That's because, many such companies (250 – 2,500 employees) are holding on to almost every record, even though they should not do so.
According to the company's latest report, 11 per cent of such companies are holding on to information without keeping in mind data protection requirements.
When asked why they have such practices, businesses mostly say it's to exploit possible future value (89 per cent), to provide a safety net in a complex regulatory landscape (87 per cent), and to comply with e-discovery requests (42 per cent).
“Knowing what information to hold on to and for how long is complicated for many European organisations, with different rules for different kinds of information in different countries. It is just as risky to hold on to something for too long, such as personal data or unsuccessful job applications, as it is to destroy something too soon, such as email correspondence or health and safety records that might be required for a lawsuit,” said Gavin Siggers, Director of Professional Services for Iron Mountain Europe.
“Unsurprisingly, many companies have responded by simply keeping everything. However, particularly in the case of personally identifiable information, this cannot continue. From 2018, businesses will need to prove that their information is created with a built-in end of life. Achieving this will require organisations large and small to know what they have, where it is, and how long they are entitled to hold on to it. We would advise businesses to seek expert guidance.”
Image credit: Jirsak / Shutterstock