Compliance and complexity: How to stay on the right side of the law

An abstract mock up of a blue padlock on a binary code background

Document management is vital to all businesses, but some need to take more care over their data than others. Here we examine how to look after information in a mixed environment and the challenges faced by regulated industries.

Whether held in a filing cabinet or a server, documents and files are the crown jewels of your business they contain the details of every transaction made, every contract signed, every piece of intellectual property created.

And just like the crown jewels, if they are misplaced, mishandled or stolen, you have a very big problem.

That is why compliance is so important for businesses while it might not generate value in itself, it is the organisation's memory, keeping track of deals done, products and plans that worked or didn't, clients and employees who have come and gone.

Dealing with a mixed environment

Almost all organisations, whether one-hundred years old or just 18 months, will have a mixed profile of important documents, whether stored on paper, on disk, on the company server or in the cloud.

When it comes to document management, this can make keeping track of everything more complicated, as there are lots of strings to tie together.

James Mullock, a partner at law firm Osborne Clarke, said: "It is a difficult subject that a lot of businesses grapple with, and it tends to be something that gets swept under the carpet because it's not a revenue generating activity."

However, this can be a dangerous attitude to have.

"As things get moved to outsourced suppliers or as things get moved to a digital format and the paper copy is inappropriately stored or destroyed, that's when problems arise," Mullock said. "Quite often the fines that arise probably stem back to a slightly disorganised approach to data destruction and what was lost really didn't need to be held onto at all."

Examples of this kind of error abound, with record fines being issued for what could be described as simple carelessness.

So what is the answer?

According to Mullock it's a combination of rolling out a comprehensive, detailed data retention policy that will help guide employees as to what should be done with documents, databases and so on, irrespective of what format they are in.

"You need a cradle-to-grave approach to all data, from creation through storage and finally to destruction. In some ways it shouldn't matter whether it is stored in the cloud, on premise in servers, on disk or on paper," he said.

The keys to this are knowing what you have and how sensitive it is, knowing where it is, and knowing when it should be destroyed.

Equally, there are some types of data that may need to be held on to for a very long time or possibly indefinitely.

"Some categories of information you really should be keeping hold of, particularly anything that could be applicable in a legal case, as it could be disastrous if that was over enthusiastically destroyed," he said.

Regulated industries

Of course, for some sectors, the need to keep an eye on what data is stored where goes well beyond general good practice.

Personally identifiable information, such as names, addresses, bank account details are all protected under the Data Protection Act (DPA), which is applicable to all organisations, irrespective of industry. For example, if a company loses or suffers a data breach in its HR records, it could be penalised by the Information Commissioner's Office (ICO) under the DPA.

However, in the legal, medical and financial sectors in particular, as well as certain areas of the public sector such as social services, extra care must be taken to protect data while you have it and destroy it once you no longer need it, as all three handle high levels of sensitive personal data.

Fines for data breaches in these fields can reach into the hundreds-of-millions of pounds in June 2012, Sussex University Hospitals Trust was fined 325,000 after hard drives sold on the Internet were found to contain the personal details of thousands of staff and patients.

NHS Surrey managed to make a similar mistake a year later, resulting in a 200,000 fine, while the Bank of Scotland incurred a penalty of 75,000 after it repeatedly faxed documentation including photocopies of passports and driving licenses to the wrong number.

A comprehensive document management strategy, as described by Mullock, could have prevented these kinds of leaks from happening.

In the cases of the NHS Trusts, the destruction part of a properly implemented data lifecycle management policy would most likely have seen the data being erased before the hardware was sold on.

The case of the Bank of Scotland may be more complicated, however the organisation did identify a problem with employees misdialling on fax machines. Having noted this problem, a remedy, such as a secure file sharing service, could have been put in place.

However, if organisations in regulated industries do opt to use cloud or online services to store or process data, they must also take into account where that data is stored.

In particular, certain categories of data, such as medical records or bank details, must not leave the EU. This means ensuring suppliers have a data centre in one of the EU member states, with some organisations preferring to keep data within the bounds of the UK.

When it comes to printing sensitive data, an additional layer of security that can be added in these industries, or for particularly sensitive data in other sectors.

"Enforcing a policy where a password must be entered in order to print, whether at the computer or at the printer, is a particularly good idea," said Mullock.

Not all doom and gloom

As complex as all this may sound, it comes down to a few key points. Firstly, know what regulations your business is subject to this is particularly important in regulated industries, as it is likely there are several. Secondly, implement a data lifecycle management policy that takes account of rules and regulations and make sure it is both thorough and followed.

Finally, keep on top of the policy your data profile is likely to change over time, and new data protection legislation from the EU is expected this year. If your policy is allowed to moulder it will become little more use than if it didn't exist at all.

Following these steps along with the advice of your legal counsel should keep you compliant and your data safe.

For more advice on transforming your business, visit HP BusinessNow

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.