It’s a common mistake in records and information management (RIM) to put all your focus on creating your records retention schedule (RRS) and neglect what comes next: implementation. Lax planning, poor preparation, and a lack of oversight will frustrate even the best efforts in creating an RRS and expose your organization to unnecessary risks. Don’t fall into this trap! Your ‘perfect’ RRS is meaningless if it is not thoughtfully and consistently implemented across your organization.

In Part 1 and Part 2 of this series, we discussed some of the key challenges and best practices for information collection and creating a simplified RRS. In this part three, we’ll discuss implementation—the other half of your RRS battle. This article will introduce you to some of the fundamental steps and useful tips for successfully implementing your RRS.

Take it From the Top Down

Any organization’s culture of compliance starts at the top, with the words, actions, and leadership of higher-level executives. Accordingly, it is imperative to establish a senior-level steering committee to oversee your organization’s RRS implementation efforts. This committee should include executives from all relevant areas, but IT, compliance, and legal are essential. This sends a loud and clear message about the importance of your organization’s records management policy and the RRS, as well as the priorities of company leadership.

In the middle, appointed records coordinators and stakeholders with knowledge of your organization’s records are essential to successfully implementing your RRS and other records program objectives. Records coordinators and stakeholders have a key role in business operations. This makes them ideally positioned to help put your records policy into practice and help resolve issues as they arise. That brings us to our first RRS implementation tip: Leverage those folks you identified and established great working relationships with during the information collection phase!

Position these individuals to be champions for your RRS among their colleagues and ideal records coordinators. Having them as allies and advocates will be tremendously helpful during your next phase of RRS implementation: your rollout.

Plan for Your Rollout

A solid strategy and implementation plan for your rollout must include a communication campaign, training, auditing, and metrics, to name a few. Also, take your time and carefully evaluate what resources you’ll need along the way. Two of the biggest missteps we most often hear about from clients are underestimating the scope of resources and the amount of time required for the rollout effort. So, for our second tip: Slow your Roll!

To help with this, consider rolling out in phases, starting with a pilot targeting a singular business area. This will help to make the process more manageable. It will also allow you to gauge any initial issues and fine-tune the process moving forward. Next in your process, but of no less importance:

Communicate! Communicate with Everyone!

The RRS and the organization’s overall records management policy must clearly state that records management is every employee’s responsibility. Everybody is sending email, creating documents, and utilizing messenger apps to generate records. However, with this comes the responsibility to manage and preserve these records. In your policy and follow-up communications, you must make clarify that the primary sender, recipient, or owner of each record is in the best position to manage and preserve it.

RRS simplicity and communication are the most important aids to successful implementation. Reminders and updates should be sent regularly. And don’t forget: communication isn’t a one-way street! Ensure that individuals throughout the organization know who to contact if they have questions or concerns.

But what are the best methods for communicating RRS obligations? Communication campaigns may be sent through routine channels such as internal employee memos and bulletins, but don’t be afraid to get creative on this! This brings us to your next tip: Find fun and interesting ways to communicate RIM updates and objectives.

Many perceive that RIM is a dry subject. But it doesn’t have to be. Records management communications can be more interesting and engaging through games, quizzes, trivia, etc. I may be biased, but RIM is fun! Your creativity doesn’t have to stop with your communications, either. One great area to use creativity is in our next topic for discussion: training.

Make Training a Thing

Training is truly an indispensable tool for implementing organizational change. It should be part of the employee onboarding process, and all employees should participate in refreshers. Consistency is key to engraving records management processes and RRS into employees’ day-to-day routines. The training materials, policies, procedures, and RRS should be centrally available and always accessible. Also, and for our fourth tip:  Create easy-to-follow slide decks and videos for training purposes.

Further, don’t be afraid to find ways to reward compliance through various incentives, including financial, awards, or other types of special recognition.

Check-Ins & Measurable Results

As they say, the proof is in the pudding! Put your program to the test by conducting periodic audits. Perform these annually, at least. Gather measurable data points and metrics to confirm compliance. Leverage the results to focus on and recalibrate areas not meeting standards. So, for our final tip: Develop Key Performance Indicators (KPIs) for your program. This helps you measure progress towards your organization’s goals.

Also, make sure your KPIs are discrete, concrete, and demonstrate positive benefits and risk mitigation.

Conclusion

An RRS that exists on paper or in name only leads to fictional compliance and a false sense of security. Don’t let your organization fall victim to the adverse risks, costs, and other consequences of a poorly implemented RRS. Through efforts like a detailed implementation plan, careful rollout, consistent enforcement, and regular reinforcement, your organization can avoid the most common pitfalls surrounding RRS non-compliance. Follow these tips and your implementation efforts are more likely to foster a culture where RRS adherence is second nature. To learn how our retention schedule management solution can help you develop and maintain your records retention schedule, contact Zasio.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Long gone are the days of intricate departmental records retention schedules—often very long, with duplicative record categories scattered across multiple business areas. Today, a simplified functional (or Big Bucket) records retention schedule (RRS) is the way to go and is now considered industry best practice. A 2018 multi-sectoral survey of practitioners confirmed that a simplified Big Bucket RRS significantly reduces the size of retention schedules and is easier to implement and maintain. [1]

After completing the Information Collection phase described in Part 1 of this series, you will ideally have information surrounding all of your organization’s operational processes and good representative record examples from each business area. The trick now is to organize this information in a way that is comprehensive yet easy to follow. This should be a piece of cake, right?!

Organize by Processes

In a functional RRS, functions represent the highest-level processes performed by the organization. For example, “Accounting,” “Product Development,” “Marketing,” “Sales,” etc., are key functions present in most organizations. The information is further organized into more granular processes, called Record Series, that house related output Record Types. The goal is to group closely interrelated record types, particularly when they have a similar business or operational recordkeeping value and a similar retention lifecycle.

How Big?

Be strategic about grouping processes and records together: bigger buckets aren’t always better, particularly where they introduce an unacceptable amount of risk from over-retention. Often, a problem arises when buckets contain record types for which long-term retention is problematic. For example, privacy considerations often drive decisions to create strategic record series breakouts and smaller buckets for certain high-risk record types. Biometric information, CCTV video surveillance footage, and unsuccessful job applications are all record types commonly subject to restrictive recordkeeping laws mandating swift disposition. These are unsuitable for grouping into Big Buckets with other records. Be mindful of any records containing sensitive personal information, and avoid grouping these records into buckets with retention periods longer than legal recordkeeping requirements or your operational business needs.

Ultimately, your organization’s risk profile will help guide how aggressively you rely on big bucket record series. The key is to ensure that the benefit of a simplified RRS—enhanced administrative ease and increased compliance—outweighs any additional risks associated with longer retention periods or increased storage costs.

Set a Baseline Retention Period

Once you have finalized the simplified structure of your RRS, the next step is to set initial baseline retention periods for each record series. When an RRS covers many jurisdictions, having a baseline retention period instead of a unique retention period for each jurisdiction significantly eases administration. The baseline period should reflect the valuable information on business and operational retention needs previously gathered during the information collection process, and any known legal or regulatory recordkeeping requirements.

A full retention period is composed of an event trigger plus a period of time, such as “Duration of Employment + 5 Years.” The event trigger defines the event that will initiate the period of retention for disposition. Intricate event triggers can potentially overcomplicate the calculation of retention periods and become a barrier to successful RRS implementation, so strive to simplify event triggers whenever possible while being mindful of the underlying lifecycle of the records captured within your record series.

Research & Application

Once an initial baseline retention period is set, consider the relevant legal research to determine whether it is compliant with the recordkeeping requirements relevant to your newly devised record series.

When conducting research, cast a wide net that comprehensively covers research broadly applicable to your organization’s core general business processes as well as your specific industry. Focusing on the “Regulated Party” is the best way to decipher whether a recordkeeping requirement is relevant to your organization. A regulated party is a legal entity, organization, or enterprise regulated by a recordkeeping citation.  “Employers,” “Taxpayers,” “Companies,” etc., are regulated parties relating to core business functions that are almost always relevant. “Manufacturers,” “Financial Services Providers,” and “Insurers” are industry-specific regulated parties that only apply narrowly. Carefully read any definitions in the law to help determine whether your business fits the criteria to be considered the regulated party.

Research should consider both “minimum” and “maximum” legal recordkeeping requirements. Minimum requirements dictate the minimum length of time for retention. Maximum requirements, often privacy-based, set the longest amount of time a certain record or personal information may be retained.

When aligning identified relevant citations to your RRS,  seek to identify the record series that represents the best fit. Consider each citation’s regulated party, the scope of the regulated records, and other context gathered from the citation’s heading. The body of directly applicable research mapped to each record series will often help confirm the initial baseline retention period. If any requirements violate the baseline, adjustments to the baseline retention period or country exceptions may be necessary to bring the RRS into compliance. Several identified country exceptions longer than the initial global baseline indicate a possible global harmonization candidate and involve harmonizing the retention period to cover the exceptions. Trends across jurisdictions for maximum retention periods shorter than the baseline may also be helpful in assessing record series break-outs for privacy to account for mandated shorter retention periods. The finalization of the RRS should keep the overall goal of simplicity for increased adherence in mind.

Conclusion

The simplified “Big Bucket” RRS remains the best practice due to its process-based design and ease of implementation. Developing your organization’s simplified RRS is a significant undertaking best guided by professionals with expertise surrounding best practices and familiarity with relevant legal recordkeeping requirements. Ultimately, the level of effort, customization, and strategy dedicated to your RRS development will pay dividends in its risk mitigation, administrative ease, and compliance. Once successfully implemented, an RRS tailored to your organization’s unique records and regulatory profile that brings together information and input drawn from a wide cross-section of personnel and stakeholders will provide a solid foundation for legally defensible disposition. Successful RRS implementation is easier said than done; we plan to discuss this in the final part of this series.

Continue to Part 3.

[1] https://magazine.arma.org/2018/12/big-bucket-retention-objectives-issues-outcomes/

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

A records retention schedule (RRS) is truly the linchpin of a sound and legally defensible records management program. Each RRS must be designed to provide a balance between robust coverage of business operations on the one hand, and simplicity of use and administration on the other. A bottom-up approach that incorporates input from businesses and stakeholders at all levels in achieving this balance can further encourage adoption and foster a culture of adherence within the organization.

This three-part series will walk readers through several best practices surrounding RRS development and maintenance. Part 1 is an overview of best practices for information collection in support of designing and developing a customized retention schedule. Parts 2 & 3 will explore detailed practical approaches for building a simplified RRS and regularly maintaining that RRS to keep it current and relevant.

Information Collection – Overview & Objectives

The key objective of RRS development is to create a customized RRS that is tailored to the organization and reflective of its processes and operational information requirements. A template retention schedule may be suitable for some organizations in the early stages of their RIM program, but it is unlikely to fully address the complexities of each organization’s unique processes and culture. A customized RRS that includes all of the organization’s general business and industry-specific processes helps ensure that end-users can quickly and accurately identify their processes and records in the retention schedule, significantly enhancing ease of use and compliance outcomes. It is vital that the RRS be transparent and intuitive so that personnel can understand where their records fall within the RRS. This is important because end-user adherence increases compliance.

The information collection process gathers the details necessary for customization from knowledgeable individuals and record owners across the organization. At a minimum, this includes information detailing typical example record types and the business processes they support, an assessment of the short-term and long-term ongoing business and operational value or each record type, and any specific retention requirements of the business. Additional details can be captured during this time as well, including information on paper or electronic format requirements, storage locations, the presence of personal data, and any other information supporting classification. In the interest of efficiency and even bolstered backing and buy-in, an information collection exercise can also often align and achieve synergies with other parallel organizational projects and objectives including a data mapping project, a data privacy assessment, a full records inventory, or a records classification project.

The preferred method of information collection is to first distribute a survey that clearly lays out the information desired to be captured and allows participants ample time to provide responsive information. Once the surveys have been returned and analyzed, schedule a follow-up interview with each survey respondent to obtain additional details and clarifications. An additional important objective behind these interactions is building rapport with the record owners and other knowledgeable individuals within your organization – they will be critical to later implementation, so baking in their concerns and priorities from the outset can help prevent friction and significantly streamline the roll-out of the RRS. They will also be more likely to act as champions and proponents for compliance when they feel that they have “skin in the game” on the RRS. You may even be able to identify certain individuals well situated to act as records coordinators or to liaison with existing records coordinators. Information collection is the ideal opportunity to build partnerships to reinforce the RRS’s importance and lay the groundwork and support for additional RIM processes and initiatives as you continue to develop your program.

Conclusion

Ultimately, a robust information collection process will yield a comprehensive picture of an organization’s records and the processes they support. It is an essential step in the process of creating a bespoke RRS that is organic, intuitive, searchable, and end-user friendly. Equally important, it builds consensus and recruits champions for your RRS. In summary, thorough and comprehensive information collection lays the solid foundation needed to support the ultimate end goal: adherence and successful implementation of your RRS!

Continue to Part 2.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The Privacy of Information Collected on the Internet From Consumers Act (NPICICA) and Security of Information Maintained by Data Collectors and Other Businesses statute (SIMDC) are Nevada’s two main online consumer privacy laws (together, Nevada’s Privacy Laws). Although lesser-known and considered less comprehensive[1] than the California Consumer Privacy Act (CCPA), Nevada’s Privacy Laws are still impactful among privacy laws in the United States. Recent amendments to Nevada’s Privacy Laws provide consumers far more protection. Below is a summary of the framework of Nevada’s Privacy Laws along with recent amendments.

What Information is Protected?

The NPICICA defines “covered information” as any: first and last name, address (containing the name of a street and city), e-mail address, phone number, social security number, or identifier that enables contact with a particular individual (either in person or online). Covered information also includes:

[a]ny other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.[2]

This definition of “covered information” increases the threshold for what qualifies as personal information established under the CCPA because the CCPA only requires that information be at least “reasonably capable of being associated with or could be reasonably linked” to a particular individual.[3]

Who Must Comply with The Law?

The NPICICA defines an “operator” as any person who:

• owns or operates a website or online service for commercial purposes;
• collects and maintains covered information from consumers who reside in Nevada and use or visit the operator’s website or online service; and
• purposefully directs its activities toward the state, consummates some transaction with the state or a state resident, or purposefully avails itself of the privilege of conducting in activities in Nevada.[4]

Recent changes to the law (effective October 1st, 2021[5]) added “data broker” as a regulated party.[6] A “data broker” is defined as a person whose primary purpose is purchasing covered information regarding consumers, and whom there is not a direct relationship with the consumer.[7] The addition of “data broker” is significant for consumer protection because previously, consumers could only submit an opt out request to operators, and not to data brokers.[8]

Who Has a Right of Action?

The NPICICA does not provide consumers with a private right of action.[9] However, the Nevada Attorney General may bring an action against an operator for failing to provide a consumer with sufficient notice of the consumer’s covered information that the operator collects, as well as for failing to comply with a consumer’s request to not sell the information.[10] The Attorney General may also bring an action against a data broker,[11] but only for failing to cooperate with a consumer’s opt out request.[12] The maximum civil penalty for both operators and data brokers is $5,000 per violation.[13]

Conclusion

Although the NPICICA is not as comprehensive as other state privacy laws, it is helping lead the charge to strengthen online consumer privacy. Recent changes to Nevada’s Privacy Laws will only increase data privacy.

Online consumer privacy laws can be difficult to navigate, in large part to the different requirements among states. Contact Zasio today to see how the products and services that we offer can help your organization comply with evolving consumer privacy laws.

 

[1] Sarah Rippy, US State Privacy Legislation Tracker, IAPP, https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ (Sept. 16, 2021).

[2] Nev. Rev. Stat. § 603A.320 (2021).

[3] Cal. Civ. Code § 1798.140(o)(1) (2021).

[4] See Nev. Rev. Stat. § 603A.330(1)(a–c) (2021).

[5] Chris Brook, Changes to Nevada’s Privacy Law Includes Requirements for Data Brokers, Digital Guardian, https://digitalguardian.com/blog/changes-nevadas-privacy-law-includes-requirements-data-brokers (July 7, 2021).

[6] Chris Brook, Changes to Nevada’s Privacy Law Includes Requirements for Data Brokers, Digital Guardian, https://digitalguardian.com/blog/changes-nevadas-privacy-law-includes-requirements-data-brokers (July 7, 2021).

[7] Nev. Rev. Stat. S.B. 260, § 2 (Oct. 1, 2021).

[8] Nev. Rev. Stat. S.B. 260, § 3 (Oct. 1, 2021); Nev. Rev. Stat. § 603A.345 (2019).

[9] Nev. Rev. Stat. § 603A.360(3) (2021).

[10] Nev. Rev. Stat. § 603A.360(2) (2021).

[11] Nev. Rev. Stat. § 603A.360(3) (2021).

[12] See Nev. Rev. Stat. § 603A.360(3) (2021).

[13] See Nev. Rev. Stat. § 603A.360(2–3) (2021).

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

On August 20, 2021, China adopted the Personal Information Protection Law of the People’s Republic of China (“PIPL”), its first comprehensive national data privacy law and one of the most sweeping and restrictive national privacy laws to date. Modeled largely off the GDPR and set to go into effect on November 1, the PIPL regulates personal information collected or transferred both inside and outside of China. It also comes with harsh penalties for non-compliance and gives broad powers to China’s state authorities to enforce the law.

The PIPL is expected to significantly impact how companies (especially tech companies) do business in China. Aimed at protecting the online user data of Chinese citizens, the law will directly affect companies located in China that handle personal data. But even companies operating outside of China may be subject to the law if they provide products or services to people in China, analyze or evaluate activities of people in China, or fall under circumstances described in certain other laws or administrative regulations.

Without further ado, let’s quickly dive into some of the law’s major provisions:

In General

The PIPL defines personal information to include, similar to the GDPR, “all kinds of information related to an identified or identifiable natural person, recorded electronically or by other means, excluding anonymized information.”

The handling of personal information includes “collection, storage, use, processing, transmission, provision, disclosure, or deletion of personal information.”

Under the PIPL, personal information should only be processed for a clear and reasonable purpose, to the smallest scope possible related to that purpose, and in a method with the least impact on personal rights. Personal information processing must also follow principles of openness and transparency, as well as rules of disclosure. These general principles largely mirror GDPR principles of fairness, transparency, and limitations on processing of personal data.

Personal Consent

Personal information handlers (the PIPL equivalent of data processors under the GDPR) must obtain personal consent from the data subject to process personal information, unless the data is processed under a specific listed exception. Those exceptions include contract performance, statutory duties or obligations, public health emergencies, news reports or public interest, legally disclosed information, or other circumstances stipulated by laws and regulations.

Personal consent must also be obtained for any cross-border transfer of personal information (for more on this, see the section below that discusses notification requirements).

These express consent requirements break from the GDPR, which technically doesn’t require personal consent to use personal data unless (i) it is relied upon as one of the six legal bases to process personal data under Article 6 of the GDPR, or (ii) is used as an exemption to transfer personal data abroad (in absence of one of the required transfer mechanisms laid out in Chapter 5 of the GDPR).

Data Retention

Similar to the GDPR, the retention of personal information under the PIPL must be the shortest time necessary to achieve the purpose of processing. This time may vary depending on the data processed and any laws or regulations that specify specific periods.

Notification Requirements

Before processing personal information, personal information handlers must inform the data subject of the information being processed and the data subject’s rights concerning this information. For sensitive information, personal information handlers must also notify the data subject of the processing’s necessity.

For any information processed outside of China, a personal information handler must inform the data subject of the overseas recipient, their contact information, and certain processing information such as processing purpose, processing method, and the types of personal information being processed. The personal information handler must also obtain the individual’s specific consent to process after giving notice.

Cross-border Transfer of Information

Before a handler can transfer personal information outside of China, they must first meet one of the following requirements:

• pass a security assessment organized by the Cyberspace Administration of China (“CAC”), the country’s central internet control agency;
• conduct a personal information protection certification;
• form a contract with the overseas recipient that stipulates the rights and obligations of both parties, or
• meet other conditions required by law, administrative regulations, or the CAC.

Further, personal information handlers must ensure that any personal information processing by overseas recipients meets PIPL standards.

Also, operators of “critical information infrastructure” and personal information handlers processing personal information up to an as-of-yet unspecified threshold (which will be prescribed by the national cybersecurity and informatization department) must store the personal information collected and generated within the territory of the People’s Republic of China. This information may not leave China unless it first passes a security assessment organized by the national cybersecurity and informatization department.

Moreover, personal information handlers may not provide personal data stored in China to foreign judicial or law enforcement agencies without first receiving approval from a competent authority within the Chinese government. This requirement will certainly result in conflicts between Chinese authorities and non-Chinese courts as well as plenty of judicial wrangling among litigants in lawsuits involving Chinese companies.

Individual rights

Just like under the GDPR, data subjects in China have various rights concerning their personal information. These include the right to: know and make decisions about their information’s processing; consult and copy their personal information; request that personal information be corrected or supplemented; request deletion (in certain cases); and request the personal information processing rules of personal information handlers.

Obligations of personal information handlers

Personal information handlers must implement internal management systems and security measures to protect personal data. Processors of personal information up to the threshold must appoint a person in charge of personal information protection. Processors outside of China must establish designated agencies or representatives within Chinese territories to handle intra-territorial personal data processing matters.

Personal information handlers must also regularly conduct compliance audits as well as impact assessments for things like processing sensitive personal data, using personal data in automated decision-making, or providing information to other personal information handlers. These impact assessments must be kept for at least 3 years.

Breach notification

If any personal information has been leaked, tampered with, or lost, the personal information handler must immediately notify the relevant departments (the CAC or relevant departments of the State Council) and individuals performing personal information protection duties. In some cases, personal information subjects might also be notified.

Legal Liability and Penalties

The department performing personal information protection duties has the power to order corrections, give warnings, confiscate illegal gains, and issue fines for information processed in violation of the law. Fines can range to up to 1 million yuan for offenders who refuse to make corrections, and between 10,000 and 100,000 yuan for directly responsible persons.

For serious violations, fines can be issued for up to 50 million yuan or up to 5 percent of the processor’s previous year turnover. Furthermore, the department can order the suspension of a business or notify a relevant competent authority to revoke a business permit or license, in addition to issuing additional fines.

Moreover, foreign organizations that violate the personal information rights of Chinese citizens or harm China’s national security or public interests can be blacklisted by the CAC. This also will result in the offending organization being restricted or prohibited from possessing personal information. In addition to everything else, illegal acts will be recorded in the social credit system and publicized.

In some cases, where the rights and interests of many individuals have been infringed, certain entities may file a lawsuit in the people’s court. These entities include the people’s procuratorate, consumer organizations specified in the PIPL, and organizations identified by the CAC.

Exceptions

The law does not apply to natural persons handling personal information for personal or family affairs.

Final Thoughts

We have yet to see exactly how the PIPL will impact the way we conduct business generally, but it is on course to significantly affect companies large and small, both inside and outside of China. If you are doing business in China or with people in China, it may well be worth your while to proactively study up on the law, determine what type of impact it might have on your business, seek legal guidance as necessary, and prepare and implement PIPL-compliant policies and strategies to manage Chinese personal data processed within your organization. A bit of up-front planning can go a long way in giving peace of mind – not to mention helping to avoid costly legal or compliance concerns down the road.

Contact Zasio to explore the various software and consulting solutions we offer, to address your personal data and privacy needs.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.