In today’s business world, records management and compliance is critical to your firm’s operations. Internal auditors not only check firm records but also how well it’s stored to ensure the information is safe from unauthorized access.
Overview of Records & Information Management
Records and information management refers to the practice of protecting data stored by your firm throughout its lifecycle.
In today’s competitive business environment, firms rely on data to make decisions regarding operations, hiring, expansions and more. Companies collect a wide range of data of internal use. The data can be collected through marketing materials, job applications, online inquiries and so on. Some of the information may not be immediately useful to the business but may be stored for future decision making.
The consumer industry has evolved and governments all over the world are demanding businesses to be accountable for the data they collect. One of the regulations firms must comply with deals with storage. For example, the General Data Protection Regulation (GDPR) requires that all information collected should be protected from breaches.
Data Retention Schedules
The amount of time that firms retain collected data varies across industries. For example, banks are required to keep customer information for five years after an account is closed. On the other hand, schools may keep a student’s information from three years to forever, depending on the type of record. Small businesses also keep customers’ information for varying lengths of time.
Generally, records may be kept for 3 years, 5 years, 7 years, 10 years or permanently.
With data security concerns at the forefront in all industries, records management compliance should no longer be put at the backburner. Organizations need to identify all data collection avenues they use and catalog the information they obtain. Apart from this, there should be appropriate workflows for disposing of the data collected.
Creating a Records Management Policy
You can follow the ISO 15489 guidelines to create your firm’s record management policy. The guidelines provide a stable foundation for ensuring continued data retention compliance, protection and disposal.
Here are five steps to creating a records management policy:
i) Review Assets And Storage Locations
First off, you should review the type of data you collect and where you store it. There are many types of data you may be interested in. Here is a rundown of the various categories of data you may be collecting:
Operational Information
- Organization charts
- Tax information
- Customer information
Legal Information
- Consent forms
- Articles of Incorporation
- Lawsuits
Emergency Information
- Security codes
- Facility blueprints
- Technical system documentation
Financial Information
- Investments
- General ledgers
- Banking information
The data you collect may be stored in different locations, including cloud storage, onsite and offsite servers, networks, backup and recovery locations, etc.
ii) Review Risks to the Information
Your record management policies should ensure that vital information is safe from unauthorized access. You can rate how vital particular information is to your firm by asking the following questions:
- Do you hold data in physical or digital format?
- How difficult would it be to get the data you hold?
- Will you suffer significant monetary damages in case the data is lost?
iii) Review Data Importance and Rate Risk
Record management requires putting security controls in place to protect the information you collect, even though you may not access it often. The following questions will help you assess the risk to the information:
- Which employees oversee the data stored?
- What security procedures have been implemented to prevent data breaches?
- What format is the data stored in?
iv) Monitor the Security of the Records
It is critical to regularly monitor the data you have collected to ensure it is secure. These questions will help to maintain the integrity of the data you are storing:
- Do you regularly review access to the data collected?
- Are your servers constantly monitored for vulnerabilities?
- Are there systems that protect your data storage centers against external threats?
v) Proper Disposal Of Records
You should follow an industry-approved way of disposing the data at your disposal. Retaining records past the required retention period can put your firm at risk of litigation. For data disposal, answer the following questions:
- What is the recommended data disposal frequency?
- How do you erase data to ensure all metadata is erased?
Consider hiring shredding professionals to ensure your data is securely destroyed.
Use Records Management Compliance Software
Multiple departments in your company may be collecting data for various purposes. It is important to have a unified way of identifying the data collected, monitoring its storage and disposing it appropriately. You can use records management software to coordinate these activities.
Records management software allow you to prioritize tasks and have a clear picture of all the data collected by different departments. You can also assign particular employees to be in charge or managing, handling, storing and disposing of data.
Author Bio
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.
About Carson Derrow
