This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 5 minutes read

Data Privacy Requirements Have Launched Records Management 3.0

We’ve had two seismic, discipline-altering events in Records Management in the last 20 years:

  • 2006: change to the Federal Rules of Civil Procedures brought electronic records management to the forefront.
  • 2011: Awareness of the need to manage more than just narrowly defined corporate records led to the addition of “and Information” to Records Management which is now referred to as Records Information Management (RIM). However, beyond how records managers talked and thought about our work, little to nothing changed.

RIM is in the midst of the third seismic event: data privacy. The impact that data privacy has had on RIM will likely be the factor that changes RIM fundamentally and for the better—records managers will emerge from this shift in a few years having functioning, supported, and resourced Records Management programs. Here’s why: with the advent of the requirement to represent retention periods for personal information (PI) or sensitive personal information (SPI) under the California Privacy Rights Act (CPRA), RIM programs for Fortune 1000 organizations that manage any significant portion of consumer data, will need to mature.

And for these Fortune 1000 organizations, program maturity means: Purging corporate records after their retention period systematically and consistently across unstructured and structured systems on a regular basis, with documentation of what and how it was done.

So, what does this RIM 3.0, post-records-as-we-know-it world look like?

Everything Is in Scope

Records Management can no longer be about what would traditionally be considered corporate records but needs to expand to comprehend all corporate information. This will include

  • Corporate information that has requirements to be retained for a certain period of time (i.e., traditional records)
  • Corporate information that has requirements to retained no longer than a certain period of time (i.e., privacy data), and
  • Everything else, primarily operational data but also non-business data, like employees’ tax returns, kid’s soccer schedules, family pics, and all the other personal information employees manage on corporate systems.

Get Rid of Adjectives

Good prose and good policies are good in inverse proportion to the number of adjectives they contain. Official records, transitory records, vital records, business records, and the like are distinctions that in the privacy world are of low value, best case; but more often than not, these distinctions impede actually complying with retention representation requirements like those outlined in the CPRA.

If the records manager cross references the typical complexity of records management policies with the mandatory complexity of representing retention periods for PI/SPI, it becomes overwhelming and nearly impossible to operationalize.

Given that, an organization’s records management policy should be streamlined, at the highest level, to be aligned to three big buckets:

  • Information we have a legal, regulatory, or other obligation to keep for a certain period of time
  • Information we have a legal or regulatory, or other obligation to keep for no longer than a certain period of time
  • All other information

Tie Records to PI/SPI

Records management as typically practiced today is focused on legal requirements to retain certain categories of documents for a defined period of time, regardless of the specific content in it. But in the word of privacy compliance, the sensitivity of the data being managed is critical, which means that RIM will have to take into account not only what kind of record a document or data set is, but the nature of its contents with regard to PI/SPI.

To do so, the traditional, good practices approach to record retention schedules is going evolving. Today, most retention schedules are organized by function/sub-function, each of which contains

  • A set of record series
  • Examples of documents and data that fit into each series
  • The time periods and triggers that must be used to ensure that records are kept long enough to satisfy obligations
  • The reference legal or regulatory citations that mandate the stated retention periods

To support privacy compliance, however, this traditional approach to retention schedules will need to expand to include an indication of the PI/SPI likely to be found in each record series. This will allow your privacy function to demonstrate to regulators, courts, and others, when they make representations in the publicly facing privacy notice that “we keep PI/SPI only as long as legally obligated and no longer,” that employees know what their legal obligations are vis a vis PI/SPI that occur in records.

For example, on a record retention schedule, the record series “Invoice” would indicate that first name, last name, address, phone, and email are present, but not biometric data, IP address, or location data. The privacy team can then use this information to create a reverse matrix to show for each type of PI/SPI, (1) all the records series it occurs in, (2) the retention periods you keep it for before purging it, and (3) the legal and regulatory obligations you judge to be relevant for determining these retention periods.

Records Managers could also partner with their privacy team to go one step further and indicate the purpose of use for which the information in the record series is collected (e.g., Invoice data is collected for the purpose of billing). For privacy team members, the purpose of use for which PI/SPI is collected is critical for defining a defensible time period for keeping the data in order to comply with privacy regulations like CPRA or the GDPR.

The benefit of adding this dimension to the retention schedule is that it provides stronger support for corporate retention practices. For example, if the time period dictated by the purpose of use is longer than the retention period indicated on the retention schedule, from a privacy perspective, an organization may be able to retain that information longer. Similarly, if the time period dictated by the purpose of use is shorter than the retention period indicated on the retention period, an organization may now have a basis for retaining it longer, because the organization can tie the retention period to a legal or regulatory obligation to do so.

The First Step in a Journey

The shift we’ve looked at here is important, but it’s only the first step on the journey that RIM will need to take to evolve to support privacy compliance. From here, organizations will need to operationalize this new approach to RIM so that the organization is following the retention schedule. In the next post, we’ll address some ways you can take steps to help your organization actually begin following your records retention schedule and have a functioning records management program.

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Tags

data strategy & governance, cybersecurity & data privacy, data & technology, data privacy & cyber risk, f-risk, memo, featured

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with