Any business that interacts with customers and employees inevitably produces large volumes of records. A record is any data processed, stored, or received regarding a transaction or communication between a business and associated entities. In a small business context, examples of records may include invoices and purchase receipts, customer orders, customer transaction receipts, quotes and proposals, HR documentation, employee timecards, meeting notes, and project documentation. Pretty much any piece of data that you store and use for basic business operations qualifies as a record. In the documentation on Data Classification and Data Handling, this framework emphasizes the importance of proper organization and security classification for such data. Non-repudiation is a key focus of a cybersecurity program, ensuring that no party can dispute a task or action. Adding a Records Management policy to your business governance helps keep records organized and properly handled throughout their lifecycle, from initial creation to eventual disposal. Many regulatory frameworks set specific standards for how records are handled, and there is always the chance that you may need to dig up some old records for legal or customer relationship needs.
Your Records Management policy should start by defining the scope of the policy. Each department and each employee is likely to generate some form of record as part of their daily workflow. The policy should clearly define which documents qualify as company records to prevent any confusion. For many businesses, the scope is simply the entire organization.
After defining who the policy applies to, ensure that the policy clearly defines what qualifies as a record. You can use the Data Classification spreadsheet from earlier tasks to get a refresher on the specific pieces of data your business stores. Once you have defined what qualifies as a record, you should document specific procedures for handling and storing the records. Some additional planning is necessary to create a system for storing records. In a small business environment, one of the most straightforward approaches is to create a large network-wide file server, either on premises or in the cloud. The file server could be set up with individual file shares for storing different record types: one for customer transactions, one for invoices and receipts, and one for employee timecards. The policy would then clearly list out the procedure for moving records to the appropriate file share.
Once you have a clear system for defining and storing records, you need to implement clear procedures for interacting with the records throughout their lifecycle. Start by deciding on a retention lifecycle for each record. Different records have differing possibilities for future needs. To prevent any accidental deletion and ensure accountability, you need to specify a retention schedule. For this task, it is best to research any applicable regulations that may dictate retention schedules. Even if you don’t have any regulations that apply to you on a legal front, some generally accepted retention time periods should be followed:
- Financial Statements: Forever
- Other Financial Records: 7 years
- Payroll and Employee Compensation Information: 3 to 7 years
- Hiring Records: 1 year
- Background Checks: 5 years
- Disciplinary Info: 7 years after termination
- Legal and Compliance Data: 7 years to forever
- Customer Transactions: 3 to 7 years
- Vendor and Customer Contracts: 7 years
All employees who handle and interact with records need to be aware of the retention schedules. In addition to retention, your policy needs to define clear, acceptable procedures for disposition, which is the approved deletion or archiving for record after their retention time period expires. This may be as simple as purging records from storage when their retention period has expired. If you have records that need to be stored permanently, you may want to outline procedures for moving the records to offline storage devices when space on the main records management system gets low.
One very important concept that a Records Management policy needs to address is legal hold. A legal hold is the suspension of disposition when records need to be made available for any legal proceedings, such as litigation or regulatory incidents. When a legal hold is declared, all records that fall under the scope of the incident need to be immediately frozen in place and not altered under the hold is lifted. Even if the records are usually scheduled for deletion or archival, they are to be strictly kept in place. Clearly defining and educating your workplace on legal hold procedures can be life or death for your business.
The complexities of records management may push you towards embracing a cloud platform to simplify some of the more difficult tasks, such as legal holds. Microsoft Purview is probably the best option out there if you want a granular solution for company records management. Purview allows you to apply universal labels and policies across all of your Microsoft platforms (OneDrive, SharePoint), and individual pieces of data (emails, receipts). Purview also allows you to immediately declare a piece of data as a record when you first encounter it. In addition, you can import a File Plan to serve as the retention schedule for different records. This is beneficial as it automates the process of labeling records, so you don’t have to sit and sift through bulk collections of records to figure out which ones need to go where.
Probably the most useful feature of Microsoft Purview is eDiscovery. In the event of a legal incident, eDiscovery can be deployed to search your company's systems for applicable data for the case. You can collect and classify data based on events, as well as keyword searches and analytics queries. This can be a lifesaver, as you no longer have to sit and sift through your company's systems and data to find information applicable to a serious legal case.
Once you have the records management system clearly defined and implemented, you should finish off the policy by outlining methods to ensure ongoing compliance. Microsoft 365 allows administrators to create detailed reports on ongoing records management events. If you keep your records management system local, you can perform individual audits instead. Clearly stating your high-level methods for ensuring compliance with records management procedures can serve as a deterrent against insider threats who may want to try and interfere with retention policies. To further discourage this behavior, you should include potential penalties for non-compliance and/or direct interference with the records management system.