By Jon Wainwright, Sales Director, Ascertus Limited
The new European Union General Data Protection Regulation (GDPR) has made information and records management a key issue for businesses. Through the expanded scope of this new directive, with potential penalties of up to four per cent of worldwide turnover of non-complaint organisations, the European Commission aims to drive organisations to make data protection a key function of business.
A retention policy underlies records management
An effective and robust document retention policy is essential for information and records management. Most organisations that have a document management system have the ability to audit the usage of records and files – i.e. how many opens, who has viewed the individual documents, date and time stamps and so on. But the scope of a retention policy is far greater.
A retention policy provides guidance and framework for employees to manage information and data – across its lifecycle – so that the entire organisation complies with the various laws and regulations pertaining to data management. Importantly, a retention policy includes both physical paper and digital formats and this is where the complexity of enforcing it becomes problematic for organisations. Routinely, employees make print copies of digital files. So if based on the retention policy, a digital file is destroyed, and a paper version of same resides in an office drawer, the rule is breached. This then potentially poses implications for compliance with a variety of industry-wide regulations, not just the GDPR.
Common approaches to retention policy enforcement
Organisations that have a retention policy instituted, tend to take different approaches to its enforcement. For example, at one law firm we work with, an appointed individual ensures sure that the firm’s retention policy is executed for all data and documents. As part of this initiative, the individual alerts the employees concerned when a matter file is coming to end of life. Clearly, the approach involves significant manual intervention. But another client – a large bank – is much more ruthless in the way it implements the policy. The file that has reached its end of life based on the corporate retention policy is automatically deleted without any forewarning to the employees concerned. So unless staff rigidly police file close dates and the retention policy themselves, they could potentially lose important data. Neither approach is satisfactory.
Regulatory compliance requires integrated document and records management
With corporate data including everything from employee information, client records, business accounting details and commercial correspondence through to supplier emails – adopting integrated document and records management processes is essential. This ensures that retention policies can be applied automatically to physical files, electronic documents and email correspondence. Such technologies embed good governance practices so that policies can be enforced in both controlled and uncontrolled environments, from a range of device types, inside and outside the corporate firewall. In this age of ever-increasing cyber risks, such safeguards are crucial.
Automation of these process also reduces the cost of enforcing a retention policy and broader information and records management. For example, cost of storage can be minimised. Once a project finishes, based on the number of years the emails and other related documents need to be stored, it can be relocated to cheaper storage so that the cost of archive file storage (digital and physical) are reduced.
A common mistake
Nevertheless, many organisations tend to add on third-party records management systems to their document management solutions, believing that the approach will provide all the necessary functionality and hence facilitate compliance. Such an approach itself creates risk as often seamless integration of two different proprietary systems is hard to achieve. Furthermore, typically records management systems lack the capability to manage physical paper records, which is a critical component of information and records management for compliance.
Best of breed functionality is essential
Integrated document and records management and automation makes compliance less burdensome and costly to the business. Compliance administrators can institute, monitor and enforce governance policies for compliance with industry-wide regulations via trigger events, defined retention periods and exact disposition rules. At the same time, businesses can extract the knowledge residing within the records for future re-use and competitive advantage. Such best of breed systems exist today and are worth exploring – compliance is no longer a tick-box exercise, the risk of financial penalties is real, more so in the banking and financial sector due to the nature of business than perhaps in any other industry.