Across most industry sectors, it is no exaggeration to say that data management has become a matter of business survival. Alongside operational considerations, data management is now enshrined in many areas of legislation, making specific practices a legal responsibility; from international regulation like the Sarbanes Oxley Act, national legislation such as the Data Protection Act (DPA) and sector-specific rules from industry regulators. Hefty fines for non-compliance are already being meted out; for instance, Bradford and Bingley were fined 650,000 for failing to present documentation relating to the misselling of financial services, and also agreed to pay 6 million in compensation to the 6800 customers affected. But compliance is far from clear-cut: some areas of legislation appear to contradict good business practice, and in some cases, the records retention stipulations actually conflict.
It is now a key industry challenge to understand and prioritise data retention requirements, whilst at the same time containing cost and boosting operational efficiency. Advising on appropriate storage strategy is clearly an area in which resellers and distributors can add significant value. Interestingly, the channel is starting to leverage the specialist skills of outsourced, independent third-parties to fulfil the market demand for strategic consultancy, white-labelling the service under their own brand and thereby boosting their service proposition.
In this article, we will outline some topical instances where a compliance conflict has arisen and describe some best-practice procedures and technologies that have been adopted to meet the differing requirements.
Business versus Consumer
Let us take an example in the financial services sector. FSA regulation has had a massive impact on the insurance sector, for instance; its guidelines require organisations to create an audit trail of business transactions. In practice, this means companies must be able to present demonstrably transparent document control mechanisms, attest to the quality and precision of reporting processes and manage massive quantities of data from disparate sources. This has focused insurers minds on long-term data retention.
However, the Data Protection Act can contradict this principle. Designed to protect the consumer, it stipulates that personal information and documentation should only be held as long as is necessary for the purpose for which the information and records were originally gathered. In other words, it advocates setting fixed retention periods as part of a proactive document destruction policy. To confuse matters, even the FSA itself, alongside its prescriptive records retention rules, states in general terms that records that are no longer required should be eliminated as early as possible in an authorised and systematic manner.
So this financial services example demonstrates how data management is not just about retention. Many companies knee-jerk reaction to stringent regulation was to keep most of its data, but this clearly runs the risk of breaching the DPA. For instance, if a consumer made a medical insurance claim and found that the insurer held redundant medical information that had been expunged from the record as having passed a statute of limitations period, they would be keen to have this deleted under the DPA so not to adversely affect their future policy eligibility or terms. Under FSA rules, the data should be kept as part of a business transaction.
Compliance conflict also arises with different areas of business legislation. For instance, a large financial services institution recently avoided significant fines for breaching the Money Laundering Regulations of 2003 because they had omitted to remove data that should have been destroyed as part of their FSA-defined data retention policy! Of course, it is likely that such legislative contradictions may well be ironed out over time, but for the moment end-users are well advised to take a common-sense approach and work with their specialist service providers to define an appropriate policy.
But what is absolutely clear from all areas of legislation is the importance of building an in-depth, structured understanding of an organisations data so that informed decisions can be made as to its treatment.
Supporting Strategy with Technology
For most companies, the first practical step towards establishing an appropriate data strategy is to conduct a full audit of their document control requirements in order to assess technology needs and to define a document retention policy. Many resellers are now offering such an advisory services by partnering with outsourced third-parties, and this is to great benefit of end-users. Generally speaking, much legislation and its audit obligations tend to focus on the integrity of long-term stored information; for instance, many document classes in financial services need to be kept for well over 6 years. But there is also a more immediate need for short-term, information availability and retrieval capabilities.
This differentiation is usually reflected by choosing two storage technologies one digital, mainly handling short-term requirements, and the other analogue. Paper records still proliferate in many industry sectors but many organisations forget that microfilm is actually the most cost-effective, long-term analogue storage medium and is currently used to store millions of records industry-wide, helping organisations mitigate document risk.
Document control has become a board-level issue, but it is questionable how many boards have taken action to set appropriate policy that can be applied throughout the organisation. Substantial fines are being imposed for non-compliance to local, European and international regulations, and companies without the systems to adhere to rules effectively will expose themselves to huge risk. This article has identified several areas of possible conflict, between different regulations and also between regulation and good business practice. Organisations are looking to their suppliers to provide not only technological but also strategic support, and this presents a significant market opportunity for resellers and other channel partners to achieve competitive advantage.
Chris Haden is UK Managing Director for Anacomp. The company provides document and data conversion, storage, retrieval and archive solutions to help organisations effectively manage their information.