What is Records Management?
Records Management can be described as the management of data throughout its lifespan, from generation to deletion. Your company might not have a Records Management department, let alone a Records Management policy, but nevertheless, it already does Records Management. When you decide what data to store, where to store it and how to store it, you do Records Management. When you have procedures in place to delete documents, you do Records Management. If you provide financial services, you must keep certain records of business as required by regulation. If you handle personal data, you must be able to provide all records related to an individual on demand (usually via a Subject Access Request).
Why should we care about Records Management?
Records Management matters now more than ever with the incoming General Data Privacy Regulation (GDPR). It is a unique opportunity to turn a compliance issue into a business enabler by considering matters at a strategic level: by mapping out what data your company holds, where it is stored, and how it is processed, you accomplish many positive outcomes. First, you comply with Data Protection laws, which is the primary driver ahead of May 2018 when GDPR comes into force. But you also bring clarity to the Business as to what they do, you bring clarity to Information Security as to what they protect, and you bring clarity to clients and partners as to what information you hold about them and what you do with it. This in turn enables your company to save on storage costs and information security costs because you can now differentiate essential information that needs to be kept, maintained and protected, from information that is not required or that requires less protection. Your customers will welcome your transparency and control as they become more demanding in terms of respecting their privacy and understanding why you require such information.
So where should you start?
You shouldn’t feel the need to hire a department full of Records Management experts to achieve your goals. You will find that experienced employees have a deep knowledge and understanding of how your company works. You can leverage their expertise through targeted interviews as you build your strategy.
The 3 steps to creating and implementing your Records Management strategy are as follows:
1. Create a Records Management Policy for your company
2. Produce a register of applications and vendors in use by your company (which can be based on your service catalogue)
3. Implement the Records Management Policy across your applications and vendors – this is where you will realise savings and efficiencies
Creating a Records Management Policy
Every business has legal, regulatory and operational reasons for keeping records. For example, you could be recording customer phone conversations for training and quality purposes (business reason) or you may need to meet a regulatory requirement when selling financial products (MiFID), or you may need to comply with certain legislation.
The Records Management Policy will synthesise these business, regulatory and legal requirements for keeping records whilst doing business.
Each Business Unit should be able to tell you what type of data they process and where it is held, so that the Policy can be efficiently built from the ground-up through a round of targeted interviews with long-standing employees or key business managers.
Once you have an inventory of types of records processed by your business, you then need to balance legal, regulatory and business imperatives to correctly choose the retention period for each record type. For example, regulation will usually force a floor retention period (for example keep phone conversation audio records for 5 years minimum with MiFID II). Legislation will either force a minimum or a maximum retention period (e.g. Data Protection Act states you should not keep personal data for longer than required for the stated business purpose).
The combination of the record types, their retention periods and their purpose all form your Records Management Policy.
Registration of Applications and Vendors
Once you have a Records Management Policy, you will need to align your IT systems so they support the implementation of the Policy. Thus, you need to build a top-down view by collecting the list of applications in use in your company through your sourcing team. This will be your starting point. You should then cross-reference this list with the Information Security team to check it corresponds to applications they see end-users requesting access to. Finally, you can further corroborate this list with business heads which will usually be aware of any shadow IT applications there may be. The final list thus complied will support the implementation of your Records Management Policy. You can take advantage of the completeness of this list to feedback to Information Security and Sourcing, plugging any gaps you may have uncovered, and helping to reduce risk of data loss through unsupervised vendors or systems.
You will then need to map the IT systems to the records they hold and those you have identified in your Records Management Policy. This will help implement your Records Management Policy.
Implementation of your Records Management Policy
Having a Records Management Policy and a mapping of your data is only a compliance tick-box exercise if you don’t follow through with implementation. Additionally, this step is where you will realise any savings and efficiencies. A good example is back-up tapes. If you can agree that the purpose of back-up tapes is only for network restoration in case of major disaster recovery, and you state it in your policy, then you can confidently state in your policy that their retention period should be, for example, no more than a week for daily tapes, no more than a month for weekly tapes, no more than a year for monthly tapes, and no more than 3 years for end-of-year tapes. Applying this will save you a lot of storage space and will bring clarity of purpose for your operations team. Certainly, you must in parallel define in your policy what other records will serve for satisfying record keeping obligations from a business, regulatory and legal perspective.
Companies that do not have a Records Management policy will struggle to agree on retention periods, and will tend to over-store records, which leads to unnecessary costs and even raises the risk of liability: old back-up tapes, to stick to this example, might not be encrypted or readable in current technology media, so that they are no longer of use to the business. If they get stolen, however, the data will be exploitable and lead to reputation damage if not litigation for the firm.
Once you have a Records Management strategy in place and being implemented, you can review your Information Security, Legal, Compliance and Business strategies to align with the data you know you own and the operations around it. This will bring added benefits beyond the Records Management realm: focus Information Security Resources on areas of sensitive data, identify high-risk operations currently being performed and change them to a lower risk alternative or drop them altogether if the business case is negative.
Conclusion
It is now clearer what businesses stand to gain from having a clear Records Management strategy: better compliance with data protection laws, heightened operational efficiency, and more focused and efficient information security. To maximise the benefits of a Records Management strategy, it should also be integrated with the Information Security, Legal, Compliance and Business strategies to enable the business to operate in an efficient, compliant and secure environment going forward.