A third of European firms have exposed themselves to data protection fines after storing information for too long, according to research by information management company Iron Mountain.
A survey of 600 senior business executives in Europe found that over 35% had kept all employee, customer and financial data out of precaution.
Manufacturing and engineering firms were the worst offenders, with 45% keeping everything. About 10% were also found to have no company-wide document retention policy in place.
The financial services sector was next, with 39% keeping everything and 9% having no company-wide policy.
The findings come as Iron Mountain and law firm De Brauw Blackstone Westbroek release a Document Retention Guide covering Europe’s 15 main jurisdictions to help firms introduce compliant retention policies and understand the legislation that affects them.
Christian Toon, head of information risk at Iron Mountain, said: "Every organisation has a duty to its employees, shareholders, suppliers and customers to hold information in a way that is secure and responsible. Achieving this can be complex and time-consuming."
Lokke Moerel, ICT partner at De Brauw and professor of Global ICT law at Tilburg University, added: "Multinationals find themselves in a paradoxical situation. On the one hand, they face growing volumes of information and spiralling storage costs; yet, on the other, they feel compelled to hoard their information to avoid falling foul of complex and changing retention laws.
"Ironically, it is just as dangerous to hold onto something for too long – such as personal data or unsuccessful job applications – as it is to destroy it too soon – such as health and safety records or email correspondence that could be required for a lawsuit."
European data retention guidelines say that the retention period for information is on average six years, ranging from three months for customer complaints to over 20 years for secrecy or patent agreements.