Records management has come a long way from the days of paper files and databases that house records. With the proliferation of technology such as AI, BI, IoT devices, and other advanced systems, the role of the records management department (a.k.a., records retention department, information governance department, information management department, RIM department, etc.) should have expanded significantly over the last decade. However, most have yet to. It is more important now than ever for organizations that want to harness the value and mitigate the risk associated with one of their critical assets – information.
Regardless of what a company calls the department or the role, it is the individual(s) or department responsible for developing and maintaining policies related to what information a company must retain or dispose of according to laws and regulations and business needs. If information is mismanaged, it can, and more than likely will, increase a corporation's risk profile and hinder its ability to harness the value of the information. If it hasn't already, the traditional record management department and role must evolve quickly and become part of the company's risk management framework. Since blogs are supposed to be 5-minute reads 😊, I will quickly discuss a few reasons organizations and records professionals must take action now to start mitigating risk associated with managing information.
All Information, Not Just Records. In today's complex and fast-paced digital environment, records professionals must increase their responsibility to cover all information to ensure it has a predictable end of life, regardless of its record classification. I did a survey a few months ago that indicated less than 25% of a company's information is a record. The other ~75% of the information in your company needs governing, too! Records professionals must ensure all information, not just records, is identified so it can be managed in accordance with laws, regulations, and business value. Laws and regulations are evolving to dictate how long information can be retained, and over-retaining information can negatively affect a company. Records professionals need to be inquisitive regarding the new technology their organizations are using, the latest business activities they are venturing into, the latest information they buy from third parties, etc., and get it part of their governance programs.
Take Action:
Show your organization where policies and retention schedules don't address critical non-record information, such as the data collected and transmitted by a product with personal information about a consumer. Privacy by design assumes you have this information on a retention schedule that dictates when it will be disposed of or, at minimum, does not conflict with how long it is retained.
Finding several examples in your company like this can help you show why your role needs to expand.
New Technology, New Information. Using AI, BI, ML, IoT devices, and other advanced technologies allows organizations to collect, receive, create, transmit, and manage large amounts of data, gaining valuable insights and making real-time decisions. Products such as implanted medical devices, connected vehicles, TVs, appliances, etc., regularly collect and transmit data to the manufacturer or third parties. Artificial intelligence is creating data in large volumes as it acts like a human in business activities. Data lakes and warehouses collect data from social media, customer behaviors, other applications in the company, IoT devices, etc., so the data can be analyzed across different domains. Records professionals must ensure policies and retention rules govern these initiatives and products that create, store, and transmit data. Record professionals' roles must evolve to cover information generated by services and products, not just traditional corporate records like finance and human resources. This type of information can pose a significant risk to an organization – much more than conventional records did in the past.
Take Action:
First, research your company in the news discussing how they use artificial intelligence to reduce costs, improve customer satisfaction, or something similar.
Then see if that related information is on your company's retention schedule and try to find the root cause of why it wasn't added to the schedule when the new technology was implemented. Plug that hole!
Knowledge and Currency of Laws and Regulations Impacting the Organization's Retention of Information. Laws and regulations are changing quickly while trying to keep pace with the information companies create, receive, and manage. Laws and regulations govern how long information must be maintained for regulatory purposes and when it must be disposed of to protect people. Record professionals need to make sure they know about new or modified laws and regulations, such as Utah Code 34.46.203, mandating that an employer may not retain the information collected about an applicant obtained through an initial selection process for more than two years after the day on which the applicant provides the information to the employer if the employer does not hire the applicant within those two years.
Records professionals need to be aware of AI laws that are advancing. Over 50 nations have adopted AI laws and regulations over the last five years. These laws will likely start addressing the retention of information collected, received, or generated by AI technology to prove there was no prejudice and to prove many other actions of the technology.
As technology advances and new types of information are generated, like biometric data, records professionals need to work with the legal department to ensure the new laws and regulations or clarifications to existing laws and regulations are reflected accurately in the company's retention policies.
An excellent example of this is the recent decision by the Illinois Supreme Court stating workers and consumers have five years to sue for violations of the state's unique biometric privacy law. The court said that because the Illinois Biometric Information Privacy Act does not specify a statute of limitations for lawsuits, the state code of civil procedure's five-year catchall period will apply. Organizations need to review this decision to determine the risk it may pose to their organization and adjust the retention of related information is modified accordingly.
Take Action:
Research new laws and regulations that have recently been passed that impact the retention of information. I have provided two interesting talking points in this section to start with. Do you allow people from Utah to apply for jobs? Do you collect biometric data on people in Illinois? Do your retention schedules reflect that reality?
Harnessing the Value of Information. A byproduct of record professionals' daily job working with all business units across the globe is that they typically know the most about the information in a company and understand all the business activities taking place in a company. Today, all business activities generate, use, transmit, receive, share, buy, or sell information.
Information is the lifeblood of most organizations. This knowledge allows record professionals to provide valuable insights related to big data analytics projects, cost reduction projects, finding buried skeletons that may still be wearing crown jewels, etc. Companies that are killing it by harnessing the value of information have elevated the positions of record professionals because of their knowledge of the company's information assets. These professionals can quickly spot risks and business potential.
Take Action:
1. Review your company's privacy data categories and see what is missing based on your knowledge of the data the organization collects. Use the org chart as a guide.
Find a few departments where it isn't apparent they would collect or manage personal information, like the product technology department, product warranty department, or the company's foundation. Find where you know legacy systems were decommissioned, but the data still exists in the company. Look for information on your schedule that would have personal information that is often overlooked, like foundation donors, rejected job applicants, contractors, interns, bought data, medical records, etc. Then see if your privacy folks have identified it.
In conclusion, your organization's recording professional(s) is a critical asset to help mitigate risk and maximize the value of information in today's complex digital environment. By moving away from old-school thinking about record management professionals, organizations can reap the full benefits of their data assets and stay ahead of the competition. Suppose you can't quite make the leap to records professionals playing a pivotal role in harnessing the value of information; you must at least take the step forward that they play a crucial role in reducing the corporation's risk profile.
Comments