Does your records management and retention policy comply with the GDPR?

Records management is once again a key business issue, thanks to the new European Union General Data Protection Regulation (GDPR), which no organisation can ignore, given that potentially penalties for non-compliance can be up to four per cent of an organisation’s global revenue. Clearly, via this directive, the European Commission is aiming to drive organisations to make data protection a key business function.

Records management requires a retention policy

Underlying records management is a strong and forceful document retention policy. Most organisations that have a document management system have the ability to audit the usage of records and files – i.e. how many opens, who has viewed the individual documents, date and time stamps, and so on – and hence believe that they already have retention policy in place. The reality is that the scope of a retention policy is far greater.

A retention policy offers guidance and provides a framework for employees to manage information across its lifecycle so that the entire organisation complies with the various laws and regulations pertaining to data management. Also, a retention policy includes both physical paper and digital formats, which makes it enforcement complex and difficult for organisations. Consider this: routinely, employees make print copies of digital files. So if based on the retention policy, a digital file is destroyed, and a paper version of same resides in an office drawer, the guideline is breached. This then potentially impacts compliance with the GDPR along with a number of other industry-wide regulation.

Different organisations, different approaches

Organisations that have established retention policies, often take different approaches to its enforcement. For example, at one law firm we work with, an appointed individual ensures sure that the firm’s retention policy is executed for all data and documents. As part of this initiative, the individual alerts the employees concerned when a matter file is coming to end of life. So, the approach involves significant manual monitoring and intervention. But another client – a large bank – is much more ruthless in the way it implements the policy. Any file that has reached its end of life based on the corporate retention policy is automatically deleted without any forewarning to the employees concerned. Therefore, unless staff rigidly police file close dates and the retention policy itself, they could potentially lose important data. Neither approach is satisfactory, surely there’s a better way?

Integrated document and records management

Corporate data can include everything from employee salaries and other information, client records, business accounting details and commercial correspondence through to supplier and partner emails. So by adopting integrated document and records management processes, organisations ensure that retention policies can be applied automatically to physical files, electronic documents and email correspondence. Such technologies embed good governance practices so that policies can be enforced in both controlled and uncontrolled environments, from a range of device types as well as inside and outside the corporate firewall. Such safeguards are especially critical, given the ever-increasing cyber risks that businesses are faced with today.

Automation of these process also reduces the cost of enforcing a retention policy and broader information and records management. For example, cost of storage can be minimised. Once a project finishes, based on the number of years the emails and other related documents need to be stored, it can be relocated to cheaper storage so that the cost of archive file storage (digital and physical) are reduced.

A common mistake well avoided

Often, many organisations add on third-party records management systems to their document management solutions, believing that the approach will provide all the necessary functionality and facilitate compliance. It is a risky approach as frequently seamless integration of two different proprietary systems is hard to achieve. Also, typically records management systems lack the capability to manage physical paper records, which is a vital component of information and records management for compliance.

Integrated document and records management and automation makes compliance less time consuming, burdensome and costly to the business. It allows administrators to establish, monitor and enforce governance policies for compliance with industry regulations via trigger events, defined retention periods and document destruction rules. At the same time, businesses can extract the knowledge residing within the records for future re-use and competitive advantage. Regulatory compliance in general is moving away from a tick-box approach to an increasingly process-driven exercise. Best of breed solutions help embed this kind of approach in an organisation.

Jon Wainwright, Sales Director, Ascertus Limited