complex retention scheduling - · pdf filelong-term retention of large volumes is costly...

COMPLEX RETENTION SCHEDULING JOHN MONTAÑA

1

WHAT’S A RETENTION SCHEDULE?

Conceptually, it’s nothing more than:

A list of records or record types

A retention period for each item on the list

In reality, it’s:

An index and finding aid

A policy and work instructions

A legal compliance document

2

EXCEPT THAT IT’S MUCH MORE

High Stakes

Product/corporate liability

Regulatory actions

Lawsuits

Adverse publicity

Undesirable political

attention

3

REGULATORY LANDSCAPE

Possible Issues:

Heavily regulated organization

Multiple jurisdictions

Requirements that:

Overlap

Conflict

4

JURISDICTIONAL AND PREEMPTION ISSUES

Potential concurrent state and federal jurisdiction and foreign jurisdiction

Potential concurrent jurisdiction by different agencies

Different regulatory regimes for different business processes

Cross-border issues of regulation

5

REGULATORY COMPLIANCE

Regulators International, state, federal, local,

industry The list will depend on your industry: Pharma Banking Utilities Etc. Everybody will have some: Wage and hour OSH Tax

6

VAGUE OR ABSENT LAWS

Laws may have grave consequences, but give little or no records guidance

Some countries may have no developed regulatory regime in an area

There is a complete absence of regulatory requirements

But there will be civil liability

And there may be very long statutes of limitation

DEVELOPING REGULATORY REGIMES

Countries that formerly had no records laws in an

area develop a regime rapidly

HR

OSH

Environmental

MULTINATIONAL REGULATORY REGIMES

European Union

Mercosur

ASEAN

CARICOM

Increasing, these replace or supplement national law

THE ODD CASE OF RUSSIA

Master national retention schedule

All records, business and personal

The Russian State Archives can require:

Permission prior to records destruction

Assessment of expired business records

Accession of them to state archives

All at your expense

GENERAL ISSUES TO BE AWARE OF

Don’t assume the rules are the same everywhere

Retention requirements vary

Regulatory regimes familiar to U.S. or Canadian records managers may be:

Vague and unhelpful

Absent

Many countries have IG/RIM laws on the books dating from the early 1800’s.

RETENTION REQUIREMENTS

Can vary dramatically:

Payroll – from 2 years to 45 years – or

more

Tax and accounting records – from 3

years to 75 years

Personnel files – from 3 years to

permanent

DATA PRIVACY LAWS

Affect a wide variety of personal data about anyone

Severely restrict use of that data

Severely limit where that data can be stored or sent

May have burdensome requirements about managing, using and manipulating the data

Very strictly enforced

MAXIMUM RETENTION PERIODS

Increasingly, personal data is governed by maximum retention periods

Keeping records longer is a violation of law

Retention periods may pose a challenge in tension with legally required minimum periods

Maximum retention may only affect part of a record

Maximums vary widely by country

LOCATION RESTRICTIONS

Tax and accounting – or other - records may have to be kept in the country of origin

If stored electronically, the server or media may have to be physically located in the country

Not just Europe – a worldwide issue

RETENTION SCHEDULES

Country-by-country, regional, or universal?

It depends:

Country-by-country allows the shortest retention periods, but is the most complicated to administer

Universal is easiest to administer, but may result in very long retention periods worldwide, so exceptions may be necessary

This is aggravated if you go big bucket

If you go by country, can you actually administer it?

SOME GOOD NEWS

Business processes are similar everywhere, so:

The kinds of records kept, and the kinds required to be kept, do not vary greatly by country

SYSTEMS

ISSUES

ERP and EDM systems – e.g., SAP, PeopleSoft

Maximum periods are often granular, often very short

ERP and EDM systems make purging difficult, buckets very big

How do you make such a system compliant?

Even systems engineered for compliance may not be fully compliant

Time for big buckets

BIG DATA

• Large, distributed IT systems

• Multiple servers

• Multiple repositories

• Huge volumes – terabytes,

petabytes, soon exabytes

• Much is unstructured, poorly

organized and identified data

19

HOW MAY DOCUMENTS IS THAT?

20

THE USUAL STATE OF AFFAIRS

Many repositories in bad shape

Think share drives share directories, SharePoint

Directory structure no help or non-existent

Far too many docs for manual indexing

Far too many locations to deal with personally

21

MULTI-COUNTRY DATA REPOSITORIES

May run afoul of various legal requirements:

Data privacy laws

Media restrictions

Location restrictions

May pose retention issues if retention periods differ

Do your research before you configure a system

WHAT THIS MEANS

System configuration is critical

You have to account for:

Retention requirements

Privacy and access requirements

Media restrictions

Location requirements

LEGACY

SYSTEMS

Often not legally compliant

Re-configuration may not be possible or practical

You may have challenges until the system is replaced

WHAT DO YOU DO ABOUT THE BIG, DARK DATA?

You can find out a lot, at least at a high level

That allows you to create some reasonably well-sorted topical groupings

The groupings can form the basis of a classification

The classification forms the basis of governance

25

DATA TYPES AS AN ISSUE

26

docx rtf sdf

pptx pages tar

xlsx tex vcf

epub txt pps

html wps wpd

xml csv odt

pptx dat pages

msg key log

SEARCHABLE

WHAT DO WE MEAN BY SEARCHABLE?

The files contain text that can be searched by software tools that scan the system looking for combinations of letter, numbers and symbols

E-discovery software, data loss prevention software

27

HERE’S HOW THE GAME IS PLAYED

You design searches based on keywords, character combinations, etc.

The software crawls the system, identifies and tags objects that meet search criteria

Properly chosen search criteria allow classification of data objects based on the match

28

UPSIDES AND DOWNSIDES

Up

Can scan really large systems

Finds things you could never find otherwise

Down

Takes a long time on a big system

May require many unique searches

Doesn’t tell you anything about objects that don’t match search criteria

Accuracy is not great, buckets are likely to be big, messy

29

DATA TYPES AS AN ISSUE

30

aif 3gp

iff avi

m3u flv

m4a m4v

mid mpg

mp3 rm

mpa srt

wav swf

wma vob

3g2 wmv

NOT-SO-SEARCHABLE

DATA TYPES AS AN ISSUE

31

bmp tga

dds thm

gif thm

png tif

psd tiff

pspimage yuv

NOT-AT-ALL-SEARCHABLE

THE ESSENTIAL COMPROMISES OF BIG BUCKETS

Big buckets = long retention = big storage costs

Downstream costs (e.g., discovery) grow

proportionally

Bigger Buckets = less information about their

contents

32

THE IT TENSION

You want as few buckets as possible

Legal requirements or other considerations will force more buckets on you

System configuration limitations may limit your ability to accommodate this tension

You may find that you’re stuck with sub-optimal strategies

THINGS TO THINK ABOUT WHEN CREATING

YOUR BUCKETS

Keep legal requirements in mind

More doc types and more jurisdictions = more laws = longer retention

A doc type with a long legal retention or a jurisdiction with excessive legal retention periods may need to be dealt with as an exception – if possible

Consider downstream costs

Long-term retention of large volumes is costly – are the doc types worth that money, or should you split up the bucket to gain efficiency?

Make sure you understand what’s technically feasible

THERE’S NO HARD AND FAST RULE

Any combination of large and small buckets has advantages and disadvantages

Cost

Complexity

Ease of implementation

Ease of administration

You must decide which combination of tradeoffs works for your organization

35

WELL-KNOWN ISSUES AFFECTING

YOUR RETENTION SCHEDULE: YOU’RE LIKELY TO HAVE AT LEAST A FEW OF THESE:

SYSTEM ARCHITECTURE INCONSISTENT WITH

LEGAL REQUIREMENTS

System locations conflict with privacy or location

laws

Data silos within systems result in very long

retention periods

37

DATA GROWTH

Big buckets = long retention periods = geometric growth of data sets

Over time the IT budget is blown away by growth in storage costs

Downstream costs (e.g., discovery) grow proportionally

WHERE DOES ALL THAT LEAVE US?

In a complex environment,

everything is a series of

compromises

Most of the compromises will be

messy

Literal compliance with all laws may

not be possible or may not be

prohibitively expensive or difficult

THE RISK-COST-BENEFIT EQUATION

Everything will come down to cost versus benefit versus the risks being addressed

Budgets are always limited

Resources are already limited

Some risks may not be worth a grade-A solution

Think the GARP maturity model – a C may be just fine

QUESTIONS?

John Montaña Montaña & Associates

4340 South Pennsylvania St.

Englewood CO 80113

610-255-1588

484-653-8422 mobile

jcmontana@montana-associates.com

www.montana-associates.com

twitter: @johncmontana

41