Firstly, let’s introduce what Records Management is: it is the management of data generated while doing business from generation to deletion. Your company might not have a Records Management department, let alone a Records Management policy, but it already does Records Management anyway: when you decide what data to store, where to store it and how to store it, you do Records Management. When you have procedures in place to delete documents, you do Records Management. If you provide financial services, you must keep certain records of business as required by regulation. If you handle personal data, you must be able to provide on request all records related to an individual (Subject Access Request).
So why should we care about Records Management? Records Management matters now more than ever with the incoming General Data Privacy Regulation (GDPR). It is a unique opportunity to turn a compliance issue into a business enabler by taking matters at a strategic level: by mapping out what data your company holds, where it is stored, and how it is processed, you accomplish many positive outcomes. First, you comply with Data Protection laws, which is the primary driver ahead of May 2018 when GDPR comes into force. But you also bring clarity to the Business as to what they do, you bring clarity to Information Security as to what they protect, and you bring clarity to clients and partners as to what information you hold about them and what you do with it. This in turn enables your company to save on storage costs and information security costs because you can now differentiate essential information that needs to be kept, maintained and protected, from information that is not required or that requires less protection. Your customers will welcome your transparency and control as they become more demanding in terms of respecting their privacy and understanding why you require such information.
So where should you start? You shouldn’t feel the need to hire a department full of Records Management experts to achieve your goals. You will find that employees that have been around for several years have a deep knowledge and understanding of how your company works. You can leverage their expertise through targeted interviews as you build your strategy.
The 3 steps to creating and implementing your Records Management strategy are as follows:
- Create a Records Management Policy for your company
- Create a register of applications and vendors in use by your company (which can be based on your service catalogue)
- Implement the Records Management Policy across your applications and vendors – this is where you will realize savings and efficiencies
Records management policy
Every business has legal, regulatory and operational reasons for keeping records. For example, you could be recording customer phone conversations with your customer service for training and quality purposes (business reason), because of a regulatory requirement when selling financial products (MiFID), or because of legislation.
The Records Management Policy will synthesize these business, regulatory and legal purposes for keeping records during the course of doing business.
Each Business Unit should be able to tell you what type of data they process and where it is held, so that the Policy can be built from the ground-up efficiently through a round of targeted interviews with long-standing employees or key business managers.
Once you have an inventory of types of records processed by your business, you then need to balance legal, regulatory and business imperatives for choosing the retention period for each record type: regulation will usually force a floor retention period (for example keep phone conversation audio records for 5 years minimum with MiFID II). Legislation will either force a minimum or a maximum retention period (e.g. Data Protection Act states you should not keep personal data for longer than required for the stated business purpose).
The combination of the record types, their retention periods and the purposes for which these records are held form your Records Management Policy.
Register of applications and vendors
Once you have a Records Management Policy, you will need to align your IT systems so they support the implementation of the Policy. Thus, you need to build a top-down view by collecting the list of applications in use in your company through your IT and sourcing team. This will be your starting point. You should then cross-reference this list with the Information Security team to check it corresponds to applications they see end-users requesting access to. Finally, you can further corroborate this list with Business Heads which will usually be aware of any shadow IT applications there may be. The final list thus complied will support the implementation of your Records Management Policy. You can take advantage of the completeness of this list to feedback Information Security and Sourcing to plug in gaps you may have uncovered, which will help reduce risk of data loss through unsupervised vendors or systems.
You will then need to map the IT systems to the records they hold and that you have identified in your Records Management Policy. This will help to implement your Records Management Policy.
Implementation of your Records Management Policy
Having a Records Management Policy and a mapping of your data is only a compliance tick-box exercise if you don’t follow through with implementation. Additionally, this step is where you will realise any savings and efficiencies. A good example is back-up tapes. If you can agree that the purpose of back-up tapes is only for network restoration in case of major disaster recovery, and you state it in your policy, then you can confidently state in your policy that their retention period should be, for example, no more than a week for daily tapes, no more than a month for weekly tapes, no more than a year for monthly tapes, and no more than 3 years for end-of-year tapes. Applying this will save you a lot of storage space and will bring clarity of purpose for your operations team. Certainly, you must in parallel define in your policy what other records will serve for satisfying record keeping obligations from a business, regulatory and legal perspective.
Companies that do not have a Records Management policy will struggle to agree on retention periods, and will tend to over-store records, which leads to unnecessary costs and even raises the risk of liability: old back-up tapes, to stick to this example, might not be encrypted or readable in current technology media, so that they are no longer of use to the business. If they get stolen, however, the data might still be exploitable and lead to reputation damage if not litigation for the firm.
Once you have a Records Management strategy in place and being implemented, you can review your Information Security, Legal, Compliance and Business strategies to align with the data you know you own and the operations around it. This will bring added benefits beyond the Records Management realm: focus Information Security Resources on areas of sensitive data, identify high risk operations currently being performed and change them to a lower risk alternative or drop them altogether if the business case is negative.
It is now clearer what businesses stand to gain from having a clear Records Management strategy: better compliance with data protection laws, heightened operational efficiency, and more focused and efficient information security. To maximize the benefits of a Records Management strategy, it should also be integrated with the Information Security, Legal, Compliance and Business strategies to enable the business to operate in an efficient, compliant and secure environment going forward.