The keys to a compliance-ready records retention schedule

Data retention and destruction have become key elements of compliance, making a retention schedule essential to a successful GRC program.

The ever-increasing number of regulations put forth by legislative and administrative agencies, combined with the explosion of company-generated data, ensures that compliance is a challenge on par with climbing Mount Everest. A key element to maintaining compliance in today's business world is the creation of data retention schedules, which guarantee companies maintain and track legal, regulatory and other proprietary data.

The first thing you need to do is figure out -- based on the industry you're in and the business activities you do, then based on the legal jurisdictions you operate in -- what are the rules?

Barclay Blair,
president, ViaLumina

When developing records retention schedules, however, companies must carefully examine what data they retain, how they retain it and for how long, in order to avoid legal and compliance challenges.

Large organizations deal with complex sets of requirements brought on by the Sarbanes-Oxley Act, the Dodd-Frank Act and an alphabet soup of legislation, according to Barclay Blair, president of New York-based information governance consultancy ViaLumina. "The first thing you need to do is figure out -- based on the industry you're in and the business activities you do, then based on the legal jurisdictions you operate in -- what are the rules?" he said.

This is not as simple as it sounds: Reading these rules requires a lot of judgment calls, since they aren't written as guidebooks and serve better as a foundation for a data retention policy or schedule, Blair said. "Some are very vague as to what is required," he added.

Most companies already have records retention schedules, but they were developed during the Mad Men era of business, when secretarial pools, formal typed memos and three-martini lunches were the norm, according to Blair. "In that era, keeping organized was akin to running a library. The advantage of that library science era is that any company I go into has a retention schedule … but no one has looked at it in 15 years," he said.

In these cases, "a typical starting point for us is almost throwing that schedule away," Blair said. The records retention schedule doesn't reflect the reality of the business anymore, particularly as the business has grown, changed or acquired other units, nor does it reflect how employees communicate. On the legal side, old retention policies often are not current with new developments in relevant laws, he said.

The next step is reviewing the rules and determining which retention period will apply. "If you're subject to more than one, the one that has the longest retention period is the one that will apply," said A.N. Ananth, CEO at Columbia, Md.-based software provider EventTracker. For example, a bank can be subject to both Payment Card Industry Data Security Standards and the Gramm-Leach-Bliley Act (GLBA). Both carry different retention requirements, and companies need to consider both before setting internal policies, he said.

When preparing data retention policies, Ananth recommends consulting with auditors prior to setting policy in stone. "In spite of the ways one can read the regulations and interpret one way, the auditor will most likely have their own opinion. It's never a good idea to make a decision in isolation without including the auditor," he said.

The other consideration when setting data retention schedules is how the data is going to be stored, according to Jennifer Searfoss, principal at Annapolis, Md.-based health care law firm Searfoss & Associates LLC. "Choose technology that's tried and true and is going to be around," she said. For example, companies that chose tapes for backup years ago are now at a disadvantage should an audit occur and could spend copious amounts of money trying to access that data, she said.

electronic medical records are particularly difficult to standardize in a format that will be accessible seven years from now, given how rapidly technology changes, Searfoss said. "It's a good conversation to have with vendors to see how to put [the records] in a standardized or interoperable format, because they'll try to put it in a proprietary format," she said. Part of the problem is that in the health care space, the goal often is to start a company, then get purchased by a larger company, which means that an old platform is not supported, she added.

"If [the data] is not accessible in any other way, there needs to be some way to access it: Either the system is retained, or you work with a vendor who can do it," Searfoss said. She advises working with professionals who can transfer data from outdated technology to new servers while preserving the integrity of the files.

As long as companies are looking at the records retention schedule timeframe as it correlates with regulations, as well as the formats they're using for electronic data, compliance shouldn't be an insurmountable obstacle. If these retention policies reflect how employees work today, companies will be ready for anything from a litigation, audit or subpoena standpoint.

About the author:
Christine Parizo is a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology- and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Prior to launching her freelance career, Parizo was an assistant news editor for searchCRM.

Let us know what you think about the story; email Ben Cole, associate editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Data reduction and deduplication

Disaster Recovery