Ascertus: Records management is key to any data protection initiative
The European Commission’s resolution to adopt the ‘adequacy’ decision for the UK under the General Data Protection Regulation (GDPR), allowing the continued free flow of personal data from the European Union to the UK, has been greeted with much relief by the business community. It means that – at least for the next four years – personal data can continue to flow freely, and firms don’t need to adopt other bespoke and potentially costly measures to comply with data protection rules. Should the UK decide to exit the GDPR, then of course the European Commission will reassess its position.
Regardless of how the rules evolve in the UK, European Union, or even in the US, records management has to be a key component of firms’ data protection obligation and programme. If done correctly, it will serve as a solid foundation for whatever shape the regulatory demands take in the future.
Many organisations have already borne the wrath of the European Commission with GDPR violation fines, especially in the last two years. In reaction, we are seeing an urgency in both law firms and corporates to ensure that their house is in order from a data and records management standpoint.
A word of caution – firms have an obligation to apply the same levels of governance to physical records as for electronic records – and perhaps this is where data protection and records management becomes even more complicated.
For firms undertaking records management, below are some considerations:
- The software isn’t enough – Firms spend a fair amount of time identifying the best records management software with the expectation that the tool will automatically undertake the management of records. However, the software is only as good as the retention policy that is applied, which in turn is best determined by the organisation itself, based on the nature of work they do for their clients, the mix of electronic and physical records, and so forth. For example, in The Netherlands, records need to be retained for 20 years due to the region’s statutory limitation of liability requirement. In the UK, records need to be typically retained for seven years using VAT rules, but there may be exceptions for documents such as Pension records that would need to be kept forever. Similarly, there may be a legal requirement to store original documents (e.g., Deeds, Wills) for very long periods. Firms’ unique requirements, combined with best practice advisory provided by the software provider, will deliver the most effective solution.
- Don’t rely on automated deletion – Often firms rely on the automated records deletion processes only to realise that they have actually lost valuable information that should have in fact been retained. Once records are deleted, it’s a point of no return. When configuring the records management software, building in safeguards whereby an individual has to physically click to delete records is a sounder approach.
- Integrate records and document management systems – Standalone records management systems are of limited value. Firms should consider an integrated approach for the best results. Why? Users in firms frequently expect similar functionality from both systems, but it’s important to appreciate their differences. They serve different purposes. Records management systems store the metadata of the documents (not the actual content) that is located in the document management system (DMS).
Illustrating using the integration of iManage Records Management (IRM) and iManage Work document management systems – users can work on documents residing in iManage Work and IRM manages the retention clock alongside integrating the Client and Matter names. There is a ‘declaration’ process within IRM that allows folders and documents in iManage Work to be recognised as ‘records’, which means that the metadata for these records sync into IRM. So, when records are deleted in compliance with the firm’s retention policy, they don’t appear in iManage Work but reference to them remain within the corresponding hierarchy in IRM. So, users can determine the records that have been deleted via the metadata in IRM, including the specific Clients and Matters the documents and folders originally resided in within iManage Work.
