Legal compliance indata retentionis not about what you
have to keep, but knowing what you can delete. Even in a
"paperless" age, the cost of storage is expensive. For any business
it is not practical to keep everything, and a balance needs to be
met.
However, pressure to cut costs cannot compromise on data storage
and compliance, as shortcuts are often regretted later down the
line.
The objective is to retain documents for the appropriate length
of time to satisfy business, legal and operational requirements,
while keeping storage costs to a minimum. In addition to economic
and market pressures, companies must ensure their policies are up
to date with improvements in data storage technology.
Benefits
So what are the advantages of compliance and data retention? The
benefits of a document retention policy are tied in with the
requirements of a business. Data provides the basis for future
executive decisions and provides evidence of a completed material
business transaction.
Beyond legal compliance, data retention helps an organisation to
demonstrate good corporate governance, which is increasingly
important today.
Additionally, data retention helps to manage and reduce storage
costs, ensure a consistent approach across all sites, locations and
jurisdictions and improve operational efficiency.
Legal requirements
In today's ever-changing business climate, organisations must
ensure their data policies are kept up to date with legal
requirements. A data retention policy must take into consideration
the future needs of actual or potential litigation.
For example, an effective data retention policy can protect
against breach of contract, personal injury and property
litigation, and public liability claims. It also ensures an
organisation meets a broad range of statutory or regulatory
requirements, including health and safety legislation and
accounting requirements.
The
Data Protection Act 1998 sets out considerations that
organisations must adhere to in relation to personal or sensitive
data relating to individuals.
The requirement to keep personal data secure compels businesses
to keep pace with developments in technology, and in particular
data security.
Organisations operating in the US also need to be aware of the
Sarbanes-Oxley Act, which was passed in the US after the Arthur
Andersen/Enron and
WorldCom scandals. Sarbanes-Oxley introduced new requirements
and penalties to data retention, including criminal penalties for
altering documents and destroying audit papers less than seven
years old.
Types of data
Knowing what kinds of data need to be taken into consideration
is the first step in determining a data strategy. A document covers
any means by which information is generated, stored or
communicated, including information contained on paper-based and
electronic documents.
Companies will need to look across business functions and
divisions to identify information they hold and use. This covers a
wide variety of information, including financial records, insurance
policies, contractual documents and HR personnel records.
Formulation and consideration
When formulating a data retention policy, emerging relevant
legislation must be taken into consideration. A policy must be
drawn from a combination of analogous laws, common sense and best
practice.
The following must be taken into consideration when determining
a policy:
● The flexibility requirements of every organisation differ -
one size does not fit all.
● The practical and technological limitations must be balanced
with legal compliance.
● Organisations must seek cooperation from different quarters:
business people, the legal department, records management and IT
specialists.
● It must be written in a user-friendly way with straightforward
language, and a user-friendly format must be used.
The
mobile workforce is a growing trend in today's business, and so
too are the business' concerns over the lack of control of what is
stored on mobile devices.
Although the same rules apply whether the data is on a mobile
device or not, the security issues surrounding the use of mobile
devices have yet to be really bottomed out. The spiralling number
of security breaches relating to lost laptops is an example of
this.
Having considered the types of data, legal requirements and
formulation considerations, data retention policies need to be
practically workable to be enforceable. In order for a policy to
work, it must be communicated to employees, and staff must be
trained to understand and use the policy properly.
Businesses must consider appointing key staff to manage and
implement the policy, while senior management must allocate time
and resources to enforce and audit it.
Finally, a review of the policy must be undertaken and
compliance audits carried out to ensure that it is up to date,
taking into account changes in the law. Compliance must then be
ensured once it is adopted so that all the work put into a strategy
does not go to waste.