Creating a record retention schedule and executing a records program for multinational companies operating in many countries can be overwhelming. Each country has its own record retention regulations, and different records are created and stored in different countries. These multinational policies and schedules are one of the most challenging aspects of building a program, but if companies follow some basic guidelines they can be successful.

Create a global policy, but allow for local exceptions.

Some companies create a separate record retention policy and schedule for each country or region they operate in. I think this is a mistake, as it becomes exceedingly difficult to administer multiple policies across the enterprise. We have found it much more effective to create a single, global retention policy. Often the business need for retaining a record is enterprise-wide, and this business need may trump the aggregate of local requirements. On the other hand, there are country-specific exceptions requiring some records to be stored longer, and other records to be destroyed earlier than the global policy. Instead of creating separate schedules for each country, allow local exceptions to the global policy. This simplifies things. Initially it may appear a global policy will require many exceptions, but we have found most global schedules end up with many fewer exceptions than anticipated.

Consider high watermark retention periods.

If an engineer creates a safety procedure document in San Jose and shares this record with an engineering group in Dublin, who then share it with the team in India, which country's regulatory retention requirements should apply? It's difficult to determine because electronic information often literally travels around the globe. Favoring clarity and compliance, I think the best approach is often to adopt a “high water mark” retention period, adopting the longest retention requirement. This will often be the United States. Trying to pin down where a document lives is difficult and can easily lead to non-compliance.

Engage foreign business units.

The biggest mistake U.S.-based companies make in developing record retention programs is creating a policy with only input from their U.S. business units, and then adopting this policy for the rest of the world without consulting the international groups. These international groups often then feel that the policy was foisted upon them and start listing reasons why the policy cannot or should not be implemented in their country. Often the root issue here is not compliance with local regulations, but rather that these groups were not engaged and consulting. Good early engagement can go a long way, and many of the “this policy won't work over here” objections tend to melt away when these groups felt heard.

Be prepared for sparse or ambiguous local regulations.

Unlike the U.S. and European countries, many countries have either sparse or ambiguous regulations governing document retention. The regulations that do exist often tend to be focused on paper records. A search for Ghana's requirements for saving employee records, for example, can be fruitless because these regulations don't exist. More research does not yield better answers. Organizations need to create policies even without the underpinning of local requirements. Often U.S. and European-level retention requirements can be used in these situations.

Keep a close eye on data privacy.

One area does require close scrutiny. Data privacy regulations are generally stricter outside the U.S., especially in Europe, and in France and Germany in particular. While a data privacy policy is separate from a record retention policy, a good record retention policy needs to be data privacy aware. There are restrictions, for example, on when and how employers can surveille employees' archived e-mail in some countries. Many of the aforementioned local exceptions to global policies are around privacy-related issues.

Creating a record retention schedule and executing a records program for multinational companies operating in many countries can be overwhelming. Each country has its own record retention regulations, and different records are created and stored in different countries. These multinational policies and schedules are one of the most challenging aspects of building a program, but if companies follow some basic guidelines they can be successful.

Create a global policy, but allow for local exceptions.

Some companies create a separate record retention policy and schedule for each country or region they operate in. I think this is a mistake, as it becomes exceedingly difficult to administer multiple policies across the enterprise. We have found it much more effective to create a single, global retention policy. Often the business need for retaining a record is enterprise-wide, and this business need may trump the aggregate of local requirements. On the other hand, there are country-specific exceptions requiring some records to be stored longer, and other records to be destroyed earlier than the global policy. Instead of creating separate schedules for each country, allow local exceptions to the global policy. This simplifies things. Initially it may appear a global policy will require many exceptions, but we have found most global schedules end up with many fewer exceptions than anticipated.

Consider high watermark retention periods.

If an engineer creates a safety procedure document in San Jose and shares this record with an engineering group in Dublin, who then share it with the team in India, which country's regulatory retention requirements should apply? It's difficult to determine because electronic information often literally travels around the globe. Favoring clarity and compliance, I think the best approach is often to adopt a “high water mark” retention period, adopting the longest retention requirement. This will often be the United States. Trying to pin down where a document lives is difficult and can easily lead to non-compliance.

Engage foreign business units.

The biggest mistake U.S.-based companies make in developing record retention programs is creating a policy with only input from their U.S. business units, and then adopting this policy for the rest of the world without consulting the international groups. These international groups often then feel that the policy was foisted upon them and start listing reasons why the policy cannot or should not be implemented in their country. Often the root issue here is not compliance with local regulations, but rather that these groups were not engaged and consulting. Good early engagement can go a long way, and many of the “this policy won't work over here” objections tend to melt away when these groups felt heard.

Be prepared for sparse or ambiguous local regulations.

Unlike the U.S. and European countries, many countries have either sparse or ambiguous regulations governing document retention. The regulations that do exist often tend to be focused on paper records. A search for Ghana's requirements for saving employee records, for example, can be fruitless because these regulations don't exist. More research does not yield better answers. Organizations need to create policies even without the underpinning of local requirements. Often U.S. and European-level retention requirements can be used in these situations.

Keep a close eye on data privacy.

One area does require close scrutiny. Data privacy regulations are generally stricter outside the U.S., especially in Europe, and in France and Germany in particular. While a data privacy policy is separate from a record retention policy, a good record retention policy needs to be data privacy aware. There are restrictions, for example, on when and how employers can surveille employees' archived e-mail in some countries. Many of the aforementioned local exceptions to global policies are around privacy-related issues.