Document management is vital to all businesses, but some need to take more care over their data than others. Here we examine how to look after information in a mixed environment and the challenges faced by regulated industries.
Whether held in a filing cabinet or a server, documents and files are the crown jewels of your business they contain the details of every transaction made, every contract signed, every piece of intellectual property created.
And just like the crown jewels, if they are misplaced, mishandled or stolen, you have a very big problem.
That is why compliance is so important for businesses while it might not generate value in itself, it is the organisation's memory, keeping track of deals done, products and plans that worked or didn't, clients and employees who have come and gone.
Dealing with a mixed environment
Almost all organisations, whether one-hundred years old or just 18 months, will have a mixed profile of important documents, whether stored on paper, on disk, on the company server or in the cloud.
When it comes to document management, this can make keeping track of everything more complicated, as there are lots of strings to tie together.
James Mullock, a partner at law firm Osborne Clarke, said: "It is a difficult subject that a lot of businesses grapple with, and it tends to be something that gets swept under the carpet because it's not a revenue generating activity."
However, this can be a dangerous attitude to have.
"As things get moved to outsourced suppliers or as things get moved to a digital format and the paper copy is inappropriately stored or destroyed, that's when problems arise," Mullock said. "Quite often the fines that arise probably stem back to a slightly disorganised approach to data destruction and what was lost really didn't need to be held onto at all."
Examples of this kind of error abound, with record fines being issued for what could be described as simple carelessness.
So what is the answer?
According to Mullock it's a combination of rolling out a comprehensive, detailed data retention policy that will help guide employees as to what should be done with documents, databases and so on, irrespective of what format they are in.
"You need a cradle-to-grave approach to all data, from creation through storage and finally to destruction. In some ways it shouldn't matter whether it is stored in the cloud, on premise in servers, on disk or on paper," he said.
The keys to this are knowing what you have and how sensitive it is, knowing where it is, and knowing when it should be destroyed.
Equally, there are some types of data that may need to be held on to for a very long time or possibly indefinitely.
"Some categories of information you really should be keeping hold of, particularly anything that could be applicable in a legal case, as it could be disastrous if that was over enthusiastically destroyed," he said.
Regulated industries
Of course, for some sectors, the need to keep an eye on what data is stored where goes well beyond general good practice.
Personally identifiable information, such as names, addresses, bank account details are all protected under the Data Protection Act (DPA), which is applicable to all organisations, irrespective of industry. For example, if a company loses or suffers a data breach in its HR records, it could be penalised by the Information Commissioner's Office (ICO) under the DPA.
However, in the legal, medical and financial sectors in particular, as well as certain areas of the public sector such as social services, extra care must be taken to protect data while you have it and destroy it once you no longer need it, as all three handle high levels of sensitive personal data.
Fines for data breaches in these fields can reach into the hundreds-of-millions of pounds in June 2012, Sussex University Hospitals Trust was fined 325,000 after hard drives sold on the Internet were found to contain the personal details of thousands of staff and patients.
NHS Surrey managed to make a similar mistake a year later, resulting in a 200,000 fine, while the Bank of Scotland incurred a penalty of 75,000 after it repeatedly faxed documentation including photocopies of passports and driving licenses to the wrong number.
A comprehensive document management strategy, as described by Mullock, could have prevented these kinds of leaks from happening.
In the cases of the NHS Trusts, the destruction part of a properly implemented data lifecycle management policy would most likely have seen the data being erased before the hardware was sold on.
The case of the Bank of Scotland may be more complicated, however the organisation did identify a problem with employees misdialling on fax machines. Having noted this problem, a remedy, such as a secure file sharing service, could have been put in place.
However, if organisations in regulated industries do opt to use cloud or online services to store or process data, they must also take into account where that data is stored.
In particular, certain categories of data, such as medical records or bank details, must not leave the EU. This means ensuring suppliers have a data centre in one of the EU member states, with some organisations preferring to keep data within the bounds of the UK.
When it comes to printing sensitive data, an additional layer of security that can be added in these industries, or for particularly sensitive data in other sectors.
"Enforcing a policy where a password must be entered in order to print, whether at the computer or at the printer, is a particularly good idea," said Mullock.
Not all doom and gloom
As complex as all this may sound, it comes down to a few key points. Firstly, know what regulations your business is subject to this is particularly important in regulated industries, as it is likely there are several. Secondly, implement a data lifecycle management policy that takes account of rules and regulations and make sure it is both thorough and followed.
Finally, keep on top of the policy your data profile is likely to change over time, and new data protection legislation from the EU is expected this year. If your policy is allowed to moulder it will become little more use than if it didn't exist at all.
Following these steps along with the advice of your legal counsel should keep you compliant and your data safe.
For more advice on transforming your business, visit HP BusinessNow
-
Meta just revived plans to train AI models using European user dataNews Meta has confirmed plans to train AI models using European users’ public content and conversations with its Meta AI chatbot.
-
AI is helping bad bots take over the internetNews Automated bot traffic has surpassed human activity for the first time in a decade, according to Imperva
-
HP’s sustainability drive is paying off for channel partnersNews Channel partners that bought into HP’s sustainability program saw sales increase as customers react positively
-
‘We think that selling everything helps the customer’: HP wants to supercharge its partner program to support a new market strategyNews HP has enhanced its partner program to encourage channel partners to sell its entire range of products and solutions.
-
Predicts 2024: Sustainability reshapes IT sourcing and procurementwhitepaper Take the following actions to realize environmental sustainability
-
Advance sustainability and energy efficiency in the era of GenAIwhitepaper Take a future-ready approach with Dell Technologies and Intel
-
2024 State of procurement reportWhitepaper The trends shaping the future of business buying
-
Digital optimisation paves the way to strategic supplier managementWhitepaper Procurement’s role as a strategic driver
-
Bringing order to the file management chaos plaguing AEC firmswhitepaper How a cloud-based solution, supported by edge technology, helps architecture, engineering, and construction firms boost performance and cut costs
-
File data services to support modern manufacturingwhitepaper Smart file data services deliver resilience and intelligence to the modern manufacturing organization
