Regulatory requirements surrounding information retention are complex. Businesses charged with the responsibility of implementing the policies, procedures, and solutions pertaining to information and document retention need only contemplate the many disciplines (operations, administration, technology, legal, etc.) that are touched by information retention before the enormity of this task sets in.
Understandably, businesses may not know where to begin, what technologies to consider, or how to achieve compliance. To keep things simple, we recommend that businesses begin with three steps:
- Understand your industry data retention requirements.
- Design and implement a data retention policy.
- Implement an electronic content management (ECM) solution that’s right for you.
Understand your industry
While there are a seemingly endless number of regulations surrounding information retention, not all affect all organizations. It’s important to complete the appropriate research to find out which ones apply to you.
For example, Sarbanes-Oxley (SOX) stipulates that SEC companies have a seven-year requirement; the Gramm-Leach-Bliley Act (GLBA) states that financial institutions have a six-year requirement; the Health Insurance Portability and Accountability Act (HIPAA) mandates that healthcare providers have a six-year requirement; and new PCI requirements stipulate that retailers and financial institutions must immediately discard one-time transactional data. It’s a lot to process. Consulting with a professional who’s aware of the intricacies of your industry may be helpful.
Design and implement a data retention policy
It’s important to design and implement a data retention policy that both meets your business’s needs and complies with relevant regulations. Data retention policies are documents that address the complex issues inherent in maintaining corporate information for a predetermined length of time.
This is more complicated than it sounds, as different record types require different retention lengths, and computer systems and applications have increased the complexity of your considerations. In addition to describing how long various record types must be maintained (and in what format), retention policies usually describe the procedures for archiving information, guidelines for destroying information when a time limit has been reached, and special mechanisms for handling records under litigation.
Oftentimes, organizations look to the Internet for inspiration. However, generic policies may cause as many problems as they solve. It’s important to consult with a professional who knows the appropriate law for your specific industry and business type.
Other items to consider when developing a policy include:
- E-mail and instant messages. Both can be official record types (depending on content), which is a common oversight for many organizations.
- Information retention is a business issue. To be effective, data retention should be a coordinated effort with representation from management, business units, and IT.
- Time equals money, and information can take a great deal of time to retrieve and sort through. The proper retention and archiving tools can save you countless hours and dollars.
- Data retention is also data deletion. In 2005, Morgan Stanley was ordered to pay $1.5 billion (at 7 percent interest) because they didn’t turn over evidence they believed had been destroyed.
Implement an ECM solution
If you think this is a monumental issue in search of a solution, you’re in good company. Dozens of software companies have addressed the technology side of this problem. As with any software selection, it’s prudent that your business develop a comprehensive list of requirements for an ECM system and then find the vendor that best matches your requirements — and your checkbook.
Ask for help
An explosion of mediums and an increasing regulatory environment has led to the need for complex, comprehensive management of electronic content. The themes of this effort are simple, but the specifics of implementation are often challenging. If you’re feeling overwhelmed by these demands, don’t hesitate to seek Plante Moran’s assistance.
