complex retention scheduling - · pdf filelong-term retention of large volumes is costly...
TRANSCRIPT
COMPLEX RETENTION SCHEDULING JOHN MONTAÑA
1
WHAT’S A RETENTION SCHEDULE?
Conceptually, it’s nothing more than:
A list of records or record types
A retention period for each item on the list
In reality, it’s:
An index and finding aid
A policy and work instructions
A legal compliance document
2
EXCEPT THAT IT’S MUCH MORE
High Stakes
Product/corporate liability
Regulatory actions
Lawsuits
Adverse publicity
Undesirable political
attention
3
REGULATORY LANDSCAPE
Possible Issues:
Heavily regulated organization
Multiple jurisdictions
Requirements that:
Overlap
Conflict
4
JURISDICTIONAL AND PREEMPTION ISSUES
Potential concurrent state and federal jurisdiction and foreign jurisdiction
Potential concurrent jurisdiction by different agencies
Different regulatory regimes for different business processes
Cross-border issues of regulation
5
REGULATORY COMPLIANCE
Regulators International, state, federal, local,
industry The list will depend on your industry: Pharma Banking Utilities Etc. Everybody will have some: Wage and hour OSH Tax
6
VAGUE OR ABSENT LAWS
Laws may have grave consequences, but give little or no records guidance
Some countries may have no developed regulatory regime in an area
There is a complete absence of regulatory requirements
But there will be civil liability
And there may be very long statutes of limitation
DEVELOPING REGULATORY REGIMES
Countries that formerly had no records laws in an
area develop a regime rapidly
HR
OSH
Environmental
MULTINATIONAL REGULATORY REGIMES
European Union
Mercosur
ASEAN
CARICOM
Increasing, these replace or supplement national law
THE ODD CASE OF RUSSIA
Master national retention schedule
All records, business and personal
The Russian State Archives can require:
Permission prior to records destruction
Assessment of expired business records
Accession of them to state archives
All at your expense
GENERAL ISSUES TO BE AWARE OF
Don’t assume the rules are the same everywhere
Retention requirements vary
Regulatory regimes familiar to U.S. or Canadian records managers may be:
Vague and unhelpful
Absent
Many countries have IG/RIM laws on the books dating from the early 1800’s.
RETENTION REQUIREMENTS
Can vary dramatically:
Payroll – from 2 years to 45 years – or
more
Tax and accounting records – from 3
years to 75 years
Personnel files – from 3 years to
permanent
DATA PRIVACY LAWS
Affect a wide variety of personal data about anyone
Severely restrict use of that data
Severely limit where that data can be stored or sent
May have burdensome requirements about managing, using and manipulating the data
Very strictly enforced
MAXIMUM RETENTION PERIODS
Increasingly, personal data is governed by maximum retention periods
Keeping records longer is a violation of law
Retention periods may pose a challenge in tension with legally required minimum periods
Maximum retention may only affect part of a record
Maximums vary widely by country
LOCATION RESTRICTIONS
Tax and accounting – or other - records may have to be kept in the country of origin
If stored electronically, the server or media may have to be physically located in the country
Not just Europe – a worldwide issue
RETENTION SCHEDULES
Country-by-country, regional, or universal?
It depends:
Country-by-country allows the shortest retention periods, but is the most complicated to administer
Universal is easiest to administer, but may result in very long retention periods worldwide, so exceptions may be necessary
This is aggravated if you go big bucket
If you go by country, can you actually administer it?
SOME GOOD NEWS
Business processes are similar everywhere, so:
The kinds of records kept, and the kinds required to be kept, do not vary greatly by country
SYSTEMS
ISSUES
ERP and EDM systems – e.g., SAP, PeopleSoft
Maximum periods are often granular, often very short
ERP and EDM systems make purging difficult, buckets very big
How do you make such a system compliant?
Even systems engineered for compliance may not be fully compliant
Time for big buckets
BIG DATA
• Large, distributed IT systems
• Multiple servers
• Multiple repositories
• Huge volumes – terabytes,
petabytes, soon exabytes
• Much is unstructured, poorly
organized and identified data
19
HOW MAY DOCUMENTS IS THAT?
20
THE USUAL STATE OF AFFAIRS
Many repositories in bad shape
Think share drives share directories, SharePoint
Directory structure no help or non-existent
Far too many docs for manual indexing
Far too many locations to deal with personally
21
MULTI-COUNTRY DATA REPOSITORIES
May run afoul of various legal requirements:
Data privacy laws
Media restrictions
Location restrictions
May pose retention issues if retention periods differ
Do your research before you configure a system
WHAT THIS MEANS
System configuration is critical
You have to account for:
Retention requirements
Privacy and access requirements
Media restrictions
Location requirements
LEGACY
SYSTEMS
Often not legally compliant
Re-configuration may not be possible or practical
You may have challenges until the system is replaced
WHAT DO YOU DO ABOUT THE BIG, DARK DATA?
You can find out a lot, at least at a high level
That allows you to create some reasonably well-sorted topical groupings
The groupings can form the basis of a classification
The classification forms the basis of governance
25
DATA TYPES AS AN ISSUE
26
docx rtf sdf
pptx pages tar
xlsx tex vcf
epub txt pps
html wps wpd
xml csv odt
pptx dat pages
msg key log
SEARCHABLE
WHAT DO WE MEAN BY SEARCHABLE?
The files contain text that can be searched by software tools that scan the system looking for combinations of letter, numbers and symbols
E-discovery software, data loss prevention software
27
HERE’S HOW THE GAME IS PLAYED
You design searches based on keywords, character combinations, etc.
The software crawls the system, identifies and tags objects that meet search criteria
Properly chosen search criteria allow classification of data objects based on the match
28
UPSIDES AND DOWNSIDES
Up
Can scan really large systems
Finds things you could never find otherwise
Down
Takes a long time on a big system
May require many unique searches
Doesn’t tell you anything about objects that don’t match search criteria
Accuracy is not great, buckets are likely to be big, messy
29
DATA TYPES AS AN ISSUE
30
aif 3gp
iff avi
m3u flv
m4a m4v
mid mpg
mp3 rm
mpa srt
wav swf
wma vob
3g2 wmv
NOT-SO-SEARCHABLE
DATA TYPES AS AN ISSUE
31
bmp tga
dds thm
gif thm
png tif
psd tiff
pspimage yuv
NOT-AT-ALL-SEARCHABLE
THE ESSENTIAL COMPROMISES OF BIG BUCKETS
Big buckets = long retention = big storage costs
Downstream costs (e.g., discovery) grow
proportionally
Bigger Buckets = less information about their
contents
32
THE IT TENSION
You want as few buckets as possible
Legal requirements or other considerations will force more buckets on you
System configuration limitations may limit your ability to accommodate this tension
You may find that you’re stuck with sub-optimal strategies
THINGS TO THINK ABOUT WHEN CREATING
YOUR BUCKETS
Keep legal requirements in mind
More doc types and more jurisdictions = more laws = longer retention
A doc type with a long legal retention or a jurisdiction with excessive legal retention periods may need to be dealt with as an exception – if possible
Consider downstream costs
Long-term retention of large volumes is costly – are the doc types worth that money, or should you split up the bucket to gain efficiency?
Make sure you understand what’s technically feasible
THERE’S NO HARD AND FAST RULE
Any combination of large and small buckets has advantages and disadvantages
Cost
Complexity
Ease of implementation
Ease of administration
You must decide which combination of tradeoffs works for your organization
35
WELL-KNOWN ISSUES AFFECTING
YOUR RETENTION SCHEDULE: YOU’RE LIKELY TO HAVE AT LEAST A FEW OF THESE:
SYSTEM ARCHITECTURE INCONSISTENT WITH
LEGAL REQUIREMENTS
System locations conflict with privacy or location
laws
Data silos within systems result in very long
retention periods
37
DATA GROWTH
Big buckets = long retention periods = geometric growth of data sets
Over time the IT budget is blown away by growth in storage costs
Downstream costs (e.g., discovery) grow proportionally
WHERE DOES ALL THAT LEAVE US?
In a complex environment,
everything is a series of
compromises
Most of the compromises will be
messy
Literal compliance with all laws may
not be possible or may not be
prohibitively expensive or difficult
THE RISK-COST-BENEFIT EQUATION
Everything will come down to cost versus benefit versus the risks being addressed
Budgets are always limited
Resources are already limited
Some risks may not be worth a grade-A solution
Think the GARP maturity model – a C may be just fine
QUESTIONS?
John Montaña Montaña & Associates
4340 South Pennsylvania St.
Englewood CO 80113
610-255-1588
484-653-8422 mobile
www.montana-associates.com
twitter: @johncmontana
41