With Data Retention Action Plans
James Baird, Dolphin Enterprise Solutions
A data retention policy is widely considered the first step an organization can take to comply with financial, industry and civil regulations and protect sensitive data against security breaches.
Even the most comprehensive policy is effective, however, only when it’s put into action. Many companies spend considerable time developing and reviewing retention policies, but have little knowledge of how those policies are applied to the electronic data and documents in their enterprise resource planning (ERP) systems and how to remain compliant as retention requirements change over time. It is critical for organizations to regularly review these policies to ensure they remain compliant.
This is especially true in highly regulated industries such the electric power industry. A thoughtfully planned and executed data retention action plan gives utilities a competitive advantage by providing greater visibility.
Many utilities are challenged in ways they never imagined years ago. Data control and retention are now essential as many utilities work to establish full “smart grid” status. Smart grid refers to the class of technology that utilities are using to bring electricity delivery systems into the 21st century, using computer-based remote control and automation. Electric utilities are known for collecting and using big data-from meter reads to voltage measurements. As the electricity grid becomes more automated and data collection grows, having a data retention action plan is more important than ever.
In addition to developing smart grids, utilities must protect their important assets like electric meters and security seals. Previously, most utilities were unable to effectively track these assets once they left the warehouse and entered the field. A data retention action plan can help utilities optimize and protect their assets 24/7/365. In addition, because utilities frequently encounter dangerous situations and emergencies, such as power lines falling during powerful storms, they can benefit greatly from being able to rapidly access data. Maintenance records are an example of data that is important only for periodic reporting (mostly at an aggregated level) or when an emergency happens. This type of data could easily be archived, but still needs to be accessible during emergencies.
Applying Retention Policies to Electronic Data
Accumulating information without a defined lifecycle exposes organizations to a high level of risk. Electric utilities must preserve information for as long as it’s needed, while establishing a controlled, repeatable process for purging expired information. These policies and processes also must support exceptions for pre-defined schedules for audits, legal cases or internal requirements. Implementing retention management is a complex process that in many organizations is complicated by the fact that retention rules were established when information was primarily paper-based and could not be easily mapped to digital information.
Within an organization, legal, finance and HR departments must have a strong understanding of how retention requirements apply to the business, as well as each individual department. It is also important for the IT department to know how and when to apply those retention rules to electronic data.
Retention policies must be mapped directly to a company’s specific software modules and the tables and fields that are affected. Most importantly, purge dates-the date after which data is released and the storage area can be used for storing other data-must be defined so that data and any related documents are destroyed when they reach the end of life. While the IT team is responsible for applying retention policies in the system, business stakeholders also must participate in the process to ensure the data retention policies are implemented correctly. Special attention must be paid to any information that is subject to legal or audit holds. This information must be retained beyond its standard purge date, and, therefore, business stakeholders must provide the IT team with the exact criteria necessary to determine what data must be retained, such as company codes, date ranges, personnel numbers and document numbers.
Staying Aligned with Centralized Retention Solutions
Several solutions are available to help business and IT teams work together to standardize and streamline electronic data retention, ensuring policies are applied consistently. These solutions allow organizations to centrally define, apply and monitor data retention rules in ERP systems. The solutions also enable teams to set purge dates, either manually or automatically, based on the defined data retention criteria. Once the data meets its set retention date, the solutions can then automatically trigger approval workflows to ensure that data is reviewed by the business users before it is purged and destroyed. This is particularly useful in the case of legal or audit holds, where these solutions can automatically prevent protected data from being purged and ensure that the proper review process is in place to prevent accidental destruction.
Utilities must minimize risk by ensuring that their information is protected from modification and premature destruction and is retained for as long as necessary, but no longer. Information retention and purging must follow a controlled process, as defined in the businesses corporate records retention policy. An automation, audit and retention approach is recommended. Utilities also should consider archiving because it supports long-term retention.
Highly-regulated industries like utilities typically require retention policies that are applied consistently to electronic data. Data retention plans can help ensure such policies are followed by reducing the data into manageable amounts, improving compliance and allowing for faster reporting and faster back up and maintenance of critical business systems.
Ensuring Regular Review
It is most important to remember that retention requirements are never static. Policies must be updated as the business and technologies evolve and grow to ensure that the organization remains compliant with all regulations. In addition to annual or periodic reviews, retention policies should be reviewed whenever:
“- New systems, such as cloud applications, are added to the IT environment
“- The business experiences a transformation such as a merger, acquisition or divestiture; new laws and regulations are put in place
“- The business experiences increased risk due to increased oversight or threats from hackers
Finally, it’s highly recommended that utilities conduct an independent internal review or have a third party validate the program, ensuring that the policies are mapped and correspond correctly to the electronic data.
The push for internal auditors to focus on strategic risks continues, but regulatory compliance requirements present hurdles. While most audits deal with financial data, organizations also must respond to other external, internal and compliance audits. Regulations are changing and audits are becoming more complex as regulators request additional information. The longer the audit process lasts, the more it will cost. This makes it crucial to have a data retention action plan in place that will lower costs, improve efficiency and improve controls.
While the amount of data being collected by utilities increases as more digital components are added to the grid, not all information is being converted to its full potential. When large amounts of data pose problems for utilities-primarily, where to put it and what to do with it-they can look to their data retention action plan to protect their data against financial, civil and criminal penalties.
When organizations have a retention action plan in place, they can be confident that retention rules are applied to electronic data correctly and that they are regularly reviewed and validated. Implementing a solution to automate data retention is the best way to provide greater consistency and visibility across the organization, extending into the future.
James Baird is a senior information consultant at Dolphin Enterprise Solutions Corp., which specializes in information retention and audit. He is a Certified Information Security Auditor and Certified Information Systems Manager with certifications in PCI and PII audits. He previously worked for IBM, KPMG, Deloitte, and as the director of SAP IT security at Coca-Cola Enterprises. He has degrees in IT and project management from the University of Calgary and a degree in organizational psychology from the University of North Dakota.
For more information on data retention for SAP systems and data retention solutions, visit www.dolphin-corp.com.