Over the last few years South African organisations have come under heavy fire as a result of non-compliance with business regulations. “The proper management of records is imperative in complying with the relevant Acts applicable to organisations in South Africa ” says Pavan Atluri, Bizmod consultant.
Records management goes beyond the implementation of the PoPI act. Organisations are required to verify that systems are in place to manage all their customer data. These systems need to address old and new data and showcase that any use of data is in accordance with compliance regulations.
Atluri identifies the below three major challenges that many organisations are facing with records management systems:
- It can be challenging for the process owner to understand how many processes the functional unit within an organisation is dealing with. This can become even more complicated when there is a newly appointed process owner, or when the processes have been decommissioned years ago. Legacy systems and data must still be considered, as any data recorded over time may still be applicable as part of the regulatory (e.g.: ‘right to forget’) requirements.
- All documents relevant to the process need to be listed and it is important that there is no dependency of records on different processes, as when deleting data this should not become an issue. This element becomes more challenging when one document is used across various processes and each process requires a different retention period in accordance with Act regulations.
- The biggest challenge that most organisations face though is having their employees understand record management requirements and implementation of compliance elements. Different Acts have different perspectives of records management, retention periods and information requirements.
“Fundamentally, record management is the safeguarding of all customers data while they interact with an organisation, and following this period not sharing, using or over using the data without notice and/or consent,” says Atluri. During the auditing process the organisation procedures will be assessed to ensure that data is being recorded and managed in accordance with regulations.
The success of the records management process relies on the stakeholders (executive management, owner, senior management, functional owner, process owner) understanding the process. Atluri says that being aware of the steps for the implementation of a records management system can assist in this. These steps are:
- Identify all business areas
- Identify all functional areas within the business
- Identify all processes in the functional areas
- Identify all the records you create or use from elsewhere as inputs
- Identify what business classification is applicable to the record
- Identify which different Acts are applicable to the record
- Finally, apply the correct retention period to the record (an approved retention schedule, classification policy, information handling policy etc. from Legal and Business Risk Management (BRM) is a prerequisite for records management)
“Once data is deleted it cannot be recovered, thus there is no place for errors in the records management process,” concludes Atluri.