Image by: erhui1979, ©2017 Getty Images
All organizations can face a myriad of risks by not complying with their recordkeeping obligations, with potentially negative consequences. Good practices in records compliance can help mitigate such risks, and for many organizations, this is the foremost reason for building a records and information management (RIM) program.
What Is Records Compliance?
Records compliance is an organization’s ability to meet its external and internal recordkeeping obligations. External compliance includes laws and regulations of the jurisdictions in which it operates. In the United States, these are usually governed by the United States Code (USC) and the Code of Federal Regulations (CFR). However, each country must follow its own laws and regulations. For example, countries in the European Union (EU) might be subject to additional laws, regulations, and directives that govern member states.In the United States, all organizations must keep records supporting their tax filings under 26 U.S.Code § 6001 and 26 CFR § 1.6001-1 (a) and (e) in compliance with the Internal Revenue requirements. In many other countries, such requirements are covered under the Companies Act, such as in India, Malaysia, Singapore, South Africa, and the United Kingdom, to name a few.
Each organization must evaluate its tolerance for risk.
Other recordkeeping obligations flow from other activities, business purpose, or the particular industry in which an organization operates, such as records related to environmental issues, personnel records, or industries like manufacturing, sales and marketing, etc.
In the EU, the General Data Protection Regulation (GDPR) affects personal data, as defined in Article 4 of the regulation. There are seven principles outlined in Article 5. Four of them directly affect the retention of such data. These include the principles of Purpose Limitation, Data Minimization, Storage Limitation, and Integrity and Confidentiality.
Finally, another external source might include standards for certain industries that organizations must follow.
Internal compliance is the ability of the organization to comply with its own records and information policies and processes in a consistent and repeatable manner.
In audits, litigations, or investigations, an organization that shows a good-faith effort toward complying with its policies and processes has a stronger defense for its program. This can help mitigate negative determinations or adverse judgments by the courts.
The main line of defense for a compliant program is the organization’s RIM policy and records retention schedule. The policy should state what employees must and must not do. The records retention schedule is a listing of all the business records it must keep and the length of time to keep them. At minimum, it should meet the legal retention requirements. It is also good practice to regularly update the policy and the records retention schedule.
Next, the organization should maintain documented processes and procedures with clear directions to employees on what to do to implement the policy. This should include an annual records cleanup in offices and in its electronic assets. The disposal process cannot appear to be arbitrary.
Also, the organization should regularly communicate to and train its employees on the importance of the RIM program and its effect on the organization—especially regarding the policy, how to use the records retention schedule, and the employee’s role and responsibilities in the process. Communications should be ongoing when changes in the program are made. Without proper communications and training, it is difficult to hold employees accountable for being out of compliance.
Finally, to ensure a level of compliance, there should be a mechanism for monitoring or evaluating the processes to meet pre-defined standards. This can include a periodic internal audit or review of the program with corrective actions and metrics for continuous process improvement.
Why Is It Necessary to Comply?
A key driver for organizations to comply with its recordkeeping obligations is the risks associated with non-compliance. These include fines, sanctions, penalties, or other monetary damages and can be costly when imposed. It can also generate bad publicity with the appearance of wrongdoing and can tarnish the organization’s reputation or diminish customer loyalty, which can ultimately affect its profitability.In audits, litigations, or investigations, an organization that shows a good-faith effort toward complying with its policies and processes has a stronger defense for its program. This can help mitigate negative determinations or adverse judgments by the courts.
What's the Best Way to Comply?
It is important for an organization to be consistent, systematic, and reasonably enforce its recordkeeping practices. An organization should be able to demonstrate how it is complying with its recordkeeping obligations through proper documentation of its RIM program and practices.The main line of defense for a compliant program is the organization’s RIM policy and records retention schedule. The policy should state what employees must and must not do. The records retention schedule is a listing of all the business records it must keep and the length of time to keep them. At minimum, it should meet the legal retention requirements. It is also good practice to regularly update the policy and the records retention schedule.
Next, the organization should maintain documented processes and procedures with clear directions to employees on what to do to implement the policy. This should include an annual records cleanup in offices and in its electronic assets. The disposal process cannot appear to be arbitrary.
Also, the organization should regularly communicate to and train its employees on the importance of the RIM program and its effect on the organization—especially regarding the policy, how to use the records retention schedule, and the employee’s role and responsibilities in the process. Communications should be ongoing when changes in the program are made. Without proper communications and training, it is difficult to hold employees accountable for being out of compliance.
Finally, to ensure a level of compliance, there should be a mechanism for monitoring or evaluating the processes to meet pre-defined standards. This can include a periodic internal audit or review of the program with corrective actions and metrics for continuous process improvement.
The Bottom Line
Recordkeeping is a duty of all organizations. There can be risks associated with not complying with their recordkeeping obligations. Each organization must evaluate its tolerance for risk. It should assess the cost to build a legally defensible RIM program and weigh that against the consequential cost of potential risks it could face for not complying. Organizations can then develop a “risk-based” RIM program around that determined level of risk the organization is willing to take and employ a reasonable, good-faith effort for implementation.Cindy Zuvich, CRM, is the Principal of Unigrated Global, an information governance consultancy and records management services company based in White Plains, New York. Contact Cindy at cindy.zuvich@unigrated.com.
