tiero - Fotolia
Legal compliance in data retention is not about what you have to keep, but knowing what you can delete. Even in a "paperless" age, the cost of storage is expensive. For any business it is not practical to keep everything, and a balance needs to be met.
However, pressure to cut costs cannot compromise on data storage and compliance, as shortcuts are often regretted later down the line.
The objective is to retain documents for the appropriate length of time to satisfy business, legal and operational requirements, while keeping storage costs to a minimum. In addition to economic and market pressures, companies must ensure their policies are up to date with improvements in data storage technology.
So what are the advantages of compliance and data retention? The benefits of a document retention policy are tied in with the requirements of a business. Data provides the basis for future executive decisions and provides evidence of a completed material business transaction.
Beyond legal compliance, data retention helps an organisation to demonstrate good corporate governance, which is increasingly important today.
Additionally, data retention helps to manage and reduce storage costs, ensure a consistent approach across all sites, locations and jurisdictions and improve operational efficiency.
In today's ever-changing business climate, organisations must ensure their data policies are kept up to date with legal requirements. A data retention policy must take into consideration the future needs of actual or potential litigation.
For example, an effective data retention policy can protect against breach of contract, personal injury and property litigation, and public liability claims. It also ensures an organisation meets a broad range of statutory or regulatory requirements, including health and safety legislation and accounting requirements.
The Data Protection Act 1998 sets out considerations that organisations must adhere to in relation to personal or sensitive data relating to individuals.
The requirement to keep personal data secure compels businesses to keep pace with developments in technology, and in particular data security.
Organisations operating in the US also need to be aware of the Sarbanes-Oxley Act, which was passed in the US after the Arthur Andersen/Enron and WorldCom scandals. Sarbanes-Oxley introduced new requirements and penalties to data retention, including criminal penalties for altering documents and destroying audit papers less than seven years old.
Types of data
Knowing what kinds of data need to be taken into consideration is the first step in determining a data strategy. A document covers any means by which information is generated, stored or communicated, including information contained on paper-based and electronic documents.
Companies will need to look across business functions and divisions to identify information they hold and use. This covers a wide variety of information, including financial records, insurance policies, contractual documents and HR personnel records.
Formulation and consideration
When formulating a data retention policy, emerging relevant legislation must be taken into consideration. A policy must be drawn from a combination of analogous laws, common sense and best practice.
The following must be taken into consideration when determining a policy:
● The flexibility requirements of every organisation differ - one size does not fit all.
● The practical and technological limitations must be balanced with legal compliance.
● Organisations must seek cooperation from different quarters: business people, the legal department, records management and IT specialists.
● It must be written in a user-friendly way with straightforward language, and a user-friendly format must be used.
The mobile workforce is a growing trend in today's business, and so too are the business' concerns over the lack of control of what is stored on mobile devices.
Although the same rules apply whether the data is on a mobile device or not, the security issues surrounding the use of mobile devices have yet to be really bottomed out. The spiralling number of security breaches relating to lost laptops is an example of this.
Having considered the types of data, legal requirements and formulation considerations, data retention policies need to be practically workable to be enforceable. In order for a policy to work, it must be communicated to employees, and staff must be trained to understand and use the policy properly.
Businesses must consider appointing key staff to manage and implement the policy, while senior management must allocate time and resources to enforce and audit it.
Finally, a review of the policy must be undertaken and compliance audits carried out to ensure that it is up to date, taking into account changes in the law. Compliance must then be ensured once it is adopted so that all the work put into a strategy does not go to waste.