The EU General Data Protection Regulation has put records management back on the business agenda
Records management is once again back on the business agenda, driven by the new European Union General Data Protection Regulation (GDPR), which comes into effect in under two years from now. Through the GDPR, the European Commission intends to strengthen and unify data protection for individuals within the EU. This new directive represents a substantial leap in scope compared to previous versions of this regulation; and its non-compliance poses a major risk to businesses.
No organization can take lightly the risk of a sanction that can be up to four percent of its worldwide turnover.
A retention policy
Vital to information and records management is an effective and robust document retention policy. Most organizations that have a document management system have the ability to audit the usage of records/files/documents -- i.e. how many opens, who has viewed the individual documents, date and time stamps and so on. But the question is, do they have a fully-fledged, enforceable retention policy?
A retention policy establishes the duration of time for which information/data/records should be managed and retained in an organization. It provides guidance and framework for employees on how they must manage information and data -- from creation through to destruction -- so that the organization as a whole can comply with the various laws and regulations pertaining to data management. Critical to note here is that a retention policy includes both paper and digital formats; and this is where the complexity of enforcing it exacerbates. Commonly, employees make print copies of digital files. So if based on the retention policy, a digital file is destroyed, a paper version of same tucked away in a drawer breaches the rule, which potentially has implications for compliance with industry-wide regulations including the GDPR, and others.
Typical approaches to retention policy enforcement
Interestingly, organizations that have a retention policy, take different approaches to its enforcement. For example, at one law firm we work with, an appointed individual ensures sure that the firm’s retention policy is executed for all data and documents. As part of this initiative, the individual alerts the employees concerned when a matter file is coming to end of life. Clearly, the approach involves significant manual intervention. But another organization -- a large banking client -- is more ruthless in the way it implements the policy. The file that has reached its end of life based on the corporate retention policy is automatically deleted without any forewarning to the employees concerned. This means that unless staff rigidly police file close dates and retention policies themselves, they could potentially lose important records. Neither approach is satisfactory.
Integrated document and records management is safest for regulatory compliance
Given that corporate data includes everything from employee information, client records, business accounting details through to supplier emails – practically any data that is used for or generated during business operation -- adopting integrated document and records management processes is essential. This ensures that retention policies can be applied automatically to physical files, electronic documents and emails. Such technologies embed good governance practices so that policies can be enforced in both controlled and uncontrolled environments, inside and outside the corporate firewall. In this age of ever-increasing cyber-attacks, such safeguards are imperative.
Automation of the process also reduces cost of enforcing a retention policy and the broader information and records management; and minimizes cost of storage. For instance, once a project finishes, based on the number of years the emails and other related documents need to be stored, it can be relocated to cheaper storage so that the cost of archive file storage (digital and physical) are reduced.
However, many organizations simply add on third-party records management systems to their document management solutions. Such an approach is risky as often seamless integration of two different proprietary systems is hard to achieve. More pertinently though, typically records management systems lack the capability to manage physical paper records, which is a critical component of information management for compliance.
Integrated document and records management and automation makes compliance less burdensome and costly to the business -- all the while ensuring that the knowledge residing in the data is appropriately extracted for re-use and competitive advantage. It also reduces the risk of financial penalties and sanctions.
Jon Wainwright is Sales Director at Ascertus Limited. Prior to Ascertus, he was Sales Director with responsibility for driving sales and growing the business at Solicitec, a case management solution provider to professional services organizations. His experience in the document and case management sector spans more than 22 years. During this time, he has helped many legal and accounting firms as well as large corporate and government departments implement strategic end-to-end document life cycle management and automation solutions. At Ascertus, he has worked with companies such as the BBC, Virgin Media, DNB, Danske, TOTAL, Schroders, ASDA, Sony and many more highly respected FTSE 100 organizations.