Records Management is Key to Any Data Protection Initiative

Updated for July 2022

Data protection has always been challenging for organisations, but the complexity of complying with a vast plethora of country-specific legislations – in addition to the GDPR – is truly taking the challenge to minefield proportions. Just recently, the UK government, for instance, announced that it is looking to reform the country’s data protection regime and to diverge from the GDPR. In fact, today privacy laws have been enacted in over 80 countries across the globe. This number is of course, set to grow.

Regardless of how the rules evolve in the UK, European Union, or anywhere in the world, records management has to be a key component of firms’ data protection obligation and programme. If done correctly, it will serve as a solid foundation for whatever shape the regulatory demands take in the future.

Many organisations have already borne the wrath of the European Commission with GDPR violation fines, especially in the last two years. In reaction, we are seeing an urgency in both law firms and corporates to ensure that their house is in order from a data and records management standpoint.

A word of caution – firms have an obligation to apply the same levels of governance to physical records as for electronic records – and perhaps this is where data protection and records management becomes even more complicated.

For firms undertaking records management, below are some considerations:

• The software isn’t enough – Firms spend a fair amount of time identifying the best records management software with the expectation that the tool will automatically undertake the management of records. However, the software is only as good as the retention policy that is applied, which in turn is best determined by the organisation itself, based on the nature of work they do for their clients, the mix of electronic and physical records, and so forth. For example, in The Netherlands, records need to be retained for 20 years due to the region’s statutory limitation of liability requirement. In the UK, records need to be typically retained for seven years using VAT rules, but there may be exceptions for documents such as Pension records that would need to be kept forever. Similarly, there may be a legal requirement to store original documents (e.g., Deeds, Wills) for very long periods. Firms’ unique requirements, combined with best practice advisory provided by the software provider, will deliver the most effective solution.
• Don’t rely on automated deletion – Often firms rely on the automated records deletion processes only to realise that they have actually lost valuable information that should have in fact been retained. Once records are deleted, it’s a point of no return. When configuring the records management software, building in safeguards whereby an individual has to physically click to delete records is a sounder approach.
• Integrate records and document management systems – Standalone records management systems are of limited value. Firms should consider an integrated approach for the best results. Why? Users in firms frequently expect similar functionality from both systems, but it’s important to appreciate their differences. They serve different purposes. Records management systems store the metadata of the documents (not the actual content) that is located in the document management system (DMS).

Illustrating using the integration of iManage Records Management (IRM) and iManage Work document management systems – users can work on documents residing in iManage Work and IRM manages the retention clock alongside integrating the Client and Matter names. There is a ‘declaration’ process within IRM that allows folders and documents in iManage Work to be recognised as ‘records’, which means that the metadata for these records sync into IRM. So, when records are deleted in compliance with the firm’s retention policy, they don’t appear in iManage Work but reference to them remain within the corresponding hierarchy in IRM. So, users can determine the records that have been deleted via the metadata in IRM, including the specific Clients and Matters the documents and folders originally resided in within iManage Work.

Aside from the regulatory imperative for records management, an important by-product of this practice is information governance for business benefit. We have extensive experience in helping firms to integrate IRM and iManage Work. If you are exploring such a project, we would love to talk to you. Please get in touch by completing the form below.