Data Privacy Requirements Launched Records Management 3.0

In the last 20 years, we have had two seismic events that have disrupted the discipline in the field of records management:

  • 2006: the modification of the Federal Rules of Civil Procedure puts the electronic management of documents in the foreground.
  • 2011: Awareness of the need to manage more than narrowly defined business documents led to the addition of “and information” to document management, now called document information management (RIM) . However, beyond how records managers spoke and thought about our work, little or nothing has changed.

RIM is in the midst of the third seismic event: data privacy. The impact that data privacy has had on RIM is likely to be the factor that fundamentally changes RIM for the better – records managers will emerge from this change in a few years with functional, supported and resourced records management programs . Here’s why: With the advent of mandatory representation of personal information (PI) or sensitive personal information (SPI) retention periods under the California Privacy Rights Act (CPRA), RIM’s programs for Fortune 1000 that handle a significant portion of consumer data, will need to mature.

And for these Fortune 1000 organizations, program maturity means: Purging corporate records past their retention period in a systematic and consistent manner across unstructured and structured systems on a regular basis, with documentation of what has been done and how.

So what is this RIM 3.0, post-records-as-we-know-it world looks like?

It’s all within reach

Records management can no longer be about what would traditionally be considered company records, but must expand to understand all company information. This will include

  • Business information that must be retained for a certain period of time (i.e., traditional recordings)
  • Company information that must be retained for a certain period (i.e., Privacy Data), and
  • Everything else, primarily operational data, but also non-business data, such as employee tax returns, children’s football schedules, family photos, and all other personal information that employees manage on company systems.

Get rid of adjectives

Good prose and good politics are good inversely proportional to the number of adjectives they contain. Official recordings, transient recordings, vital recordings, Company records, etc., are distinctions which, in the world of privacy, are of little value, at best; but more often than not, these distinctions prevent true compliance with retention representation requirements such as those outlined in the CPRA.

If the records manager intersects the typical complexity of records management policies with the mandatory complexity of representing retention periods for PI/SPI, it becomes overwhelming and nearly impossible to operationalize.

Given this, an organization’s records management policy needs to be streamlined, at the highest level, to align with three broad categories:

  • Information that we have a legal, regulatory or other obligation to retain for a certain period of time
  • Information that we have a legal, regulatory or other obligation not to retain for more than a certain period of time
  • All other information

Link records to PI/SPI

Records management, as generally practiced today, focuses on the legal requirements to retain certain categories of records for a set period of time, regardless of their specific content. But in terms of privacy, the sensitivity of the data managed is critical, which means that RIM will need to consider not only the type of record of a document or dataset, but also the nature of its content with respect to PI/SPI.

To accomplish this, the traditional best practice approach to document retention schedules will evolve. Today, most retention schedules are organized by function/sub-function, each containing

  • A set of record series
  • Examples of documents and data that correspond to each series
  • Time periods and triggers that must be used to ensure records are retained long enough to meet obligations
  • The reference legal or regulatory citations which impose the retention periods indicated

However, to support confidentiality, this traditional approach to retention schedules will need to be expanded to include an indication of the PI/SPI likely to be found in each set of records. This will allow your privacy feature to demonstrate to regulators, courts, and others, when making statements in the public privacy notice, that “we only retain PI/SPI for as long as we are legally there.” obligated and no more”, that employees know what their legal obligations are with respect to the PI/SPI that appear in the records.

For example, on a records retention schedule, the “Invoice” record series would show that first name, last name, address, phone, and email are present, but not biometrics, IP address or location data. The privacy team can then use this information to create an inverted matrix to display for each type of PI/SPI, (1) all series of records in which it occurs, (2) time periods storage for which you keep it before purging it, and (3) the legal and regulatory obligations that you consider relevant to determine these retention periods.

Records managers can also partner with their privacy team to go further and indicate the purpose of use for which the record series information is collected (for example, billing data is collected for billing purposes). For members of the privacy team, the purpose of use for which the PI/SPI is collected is critical to defining a defensible period of time to retain the data to comply with privacy regulations such as CPRA or GDPR .

The benefit of adding this dimension to the retention calendar is that it provides stronger support for corporate retention practices. For example, if the time period dictated by the purpose of use is longer than the retention period indicated on the retention schedule, from a privacy perspective, an organization may be able to retain this information longer. long time. Similarly, if the duration dictated by the purpose of use is shorter than the retention period indicated on the retention term, an organization can now have a basis for retaining it longer, because the organization can link the duration of retention to a legal or regulatory obligation to do so.

The first leg of a journey

The change we’ve looked at here is significant, but it’s only the first step in the journey RIM will need to take to evolve to support privacy compliance. From there, organizations will need to operationalize this new approach from RIM so that the organization meets the retention schedule. In the next article, we’ll cover some ways you can take steps to help your organization start following your records retention schedule and have a functioning records management program.