David Smythe, Principal, Financial Services Information Governance and Digital Solutions, Iron Mountain
New, more stringent regulations, increasing fines, exploding volumes of data and heightened organisational risk awareness (reputational, legal, and financial) are driving increased attention to data and information governance, in particular records management and retention. A major component of information governance is a records management and retention program that classifies data – what it is, where it is, why it is required—over the lifecycle of that information—enabling virtually all information processes to be more effective and efficient.
All data processing activities are enhanced by understanding where your data is, what it is, what the value is, who owns and needs access to it and how long to keep it. This is foundational, whether you are working to protect Personally Identifiable Information (PII), addressing legal e-discovery demands or driving business functions such as mortgage loan processing.
Applied records retention mitigates real life issues. Take the major multinational that spent an unnecessary 11 million dollars to review records in e-discovery that should have been disposed of years prior. Or consider several compelling events where major European banks spent millions on discovery and new processes related to historic acts, but still had to pay huge fines. A robust records management program would have reduced the negative inferences and reputational damage encountered during and resulting from these otherwise avoidable events.
New privacy regulations (GDPR), data theft and fraud are driving more focus on retention and classification as well. For example, Subject Access Requests (SARs) require knowledge of PII data, where it is and why you have it. The regulations require disposition, so you need to know what your legal, regulatory and business retention requirements are.
In another example, one of the main types of fraud that businesses are regularly faced with today is the theft and reselling of confidential or employee records. To combat this, firms need to know what data they hold, so they can ensure security measures are correctly calibrated to each type of record.
What can and should be done as part of a good records management and retention program?
- Records retention policies provide the classification of what the information is, the rules for managing that information and the legal, regulatory and business requirements (citations).
- Coupled with content classification of the data that is stored, the program should allow information lifecycle management. Understanding what your information is, where it is and applying retention controls mitigates risks and costs such as inefficient search, data processing errors, data loss and excessive storage.
- New technologies are facilitating data discovery and the tagging of data. This automation is valuable but does not address the problems above without suitable rules and governance. For example, clear retention rules are needed to maximise benefits.
In summary, why are financial institutions seeking the benefits of enhanced information governance and records retention today?
- protecting your organisation from liability
- demonstrating compliance with legal requirements
- improving business efficiency and worker productivity
- enabling efficient storage impacting technical performance
- reducing physical space costs
To leverage your retention program for competitive advantage, think of what it can do to enable your business.
These issues are front-of-mind for businesses worldwide. But with the increasing complexity of regulations and requirements, expertise and professional guidance are vital. Learn more about security, compliance and information governance during a whole week of live, online sessions from 10-13 December.
Register here for the free Physical Meets Digital virtual forum.