In our last blog post we touched upon the who and what questions of records management as they relate to businesses. Read on to learn about the remainder of the 5’ws and 1 h.
Where are records and information sets stored?
If knowing what types of information is collected and stored is most important, knowing where that information is stored may be a close second. That’s because the relationship of what and where are closely intertwined. You want to know exactly what it is that your organization possesses and where it is keeping it to protect it – and maintain compliance with industry and government regulation. If where is not known, a discovery of all the locations that information is kept is necessary. Physical and digital locations should be analyzed and can include:
- Hardware (laptops, cellphones, etc.)
- Software (records management systems, Sharepoint, Dropbox)
- In office locations (storage closets, extra offices, etc.)
- Off-site locations (secure document storage facility)
- Servers
- Removable media (USB, external HD’s, CD’s)
Of course, there are more locations information could be located in, and it will be up to your team to identify just exactly where those locations are. Once completed, your organization should have a proper handle on where everything is. And as a possible added bonus, duplicate information could be identified during this process and categorized into the vital or non-vital category.
When are records kept and when are they destroyed?
Not all information is created equal. Some sets are inherently more valuable than others. You might find that every piece of information your organization holds has been kept forever, not because it is needed or has some kind of regulatory requirement, but simply because that’s how things have been done since the very beginning. If this is the case, it’s time to identify the proper retention periods of the data stored. These retention periods will vary across different information sets and depend on several factors. For example:
- Operational necessity (client names, numbers, addresses. etc.)
- Legal/regulatory requirements (industry or government imposed)
- Financial requirements
- Historical value
- Audit/legal hold
What you may find is that some information qualifies for all factors and some only for one. Regardless, if the information needs to be retained, it becomes the job of the team to assign and enforce specific retention dates that are communicated throughout the entirety of an organization. Notes and emails may need to be destroyed more frequently, and invoices may need to be kept for a certain number of years. In any case, automating the destruction process can be key to making sure retention periods are monitored and followed.
Why update and implement policies?
The value of information is immense. It not only fuels your day to day business activities, but its future growth too. And as your business grows so does the volume of information that is collected and stored. Protecting and maximizing efficiency when it comes to managing it is a priority that not only helps you to maintain compliance, but also fully flourish at speed when dealing with clients and vendors. Because of this it becomes integral to implement and regularly update policies to reflect sound records management principles.
How will it all be implemented?
It takes a village. We all know the saying and it rings ever true for records management. Building a team to create and implement policies, remediate gaps, and regularly review plans is essential to mapping out the strategy that governs the entirety of your organization’s records management. You want to have engaged and invested department heads, informed information management professionals, and personnel who truly understand the value of governing information.
This is because records management is ever evolving. Regulation is changing. Just look at the CCPA which went into effect in 2020. A regulatory change to the way many businesses were handling consumer information, and in the years prior, you can bet many organizations were preparing their policies to adapt to the changing landscape.
Taking a set it and leave it approach to records management is an extremely risky proposition. An all-too-likely scenario that will result from this sort of tactic is a breach of information that could ultimately be the demise of the business itself.
Piecing it together
Ultimately, ensuring information is properly protected and maintained in accordance with compliance regulation is the goal. Your business wants to be able to verify that it is secure while remaining readily accessible to personnel should they need to access it. Following these guidelines can get you on your way and consulting with information management professionals will help eliminate any errors you could possibly make along the way. Protect information, mitigate the risk, and realize the power it holds to drive your business forward.