Defining and setting up information policies, including retention rules is straightforward. You identify the information class and then assign rules, such as a retention rule. Simple enough. Except when you have multiple jurisdictions that have different rules. Then you’ve got some work to do. Luckily, everteam.policy has you covered. Let’s have a look at how to set up exceptions for information policies.
Defining a Retention Rule – For Multiple Jurisdictions
For this article, we will focus on retention rules for multiple jurisdictions, but keep in mind this applies to any type of information policies and its rules.
A retention policy or schedule describes how long the business needs to keep an information asset, where it’s stored and how to dispose of the record when its time. It helps you comply with legal and compliance regulations.
We’ve talked about how to identify retention rules before. Here are the basic steps:
- Identify any federal and local regulations you must adhere to. These regulations will define the type of record they apply to and how you need to treat them, including the retention policies to apply.
- Identify any internal records policies your company has defined specifically.
- Group your records into categories or classifications that match a specific regulation and a business rule.
- For each category of record, capture the following information: where the record is found, retention period – if applicable, the retention event – if applicable, the retention medium, the department/group/country the policy applies to, what group supervises compliance, any security rules, and the disposition process (delete, move to long-term archive, etc.).
These rules don’t only apply only to a single retention rule. You can also apply them to instances where the retention rule may be different for a jurisdiction. Most organizations have to deal with regulations that affect parts of their company differently. We call these jurisdictions.
A jurisdiction could be an office in a different country, state or municipality. Or it could be a group or department within your organization. What sets it apart is that it has different requirements for the retention of a class of information assets.
For example, if you have offices in several states, you are required to comply with the regulations of each state. One state may say you need to keep a certain class of information for five years, while another state says that you need to keep the same information for ten years.
You could look at the highest period for the retention of an asset class and define your rule around that, but it can lead to problems such as keeping records for much longer than required. Keeping records past the defined retention period not only increases storage costs but leads to a higher risk of that information getting accidentally (or on purpose) exposed to the wrong people.
In some cases, you may define a “default” retention rule and then indicate exceptions to that rule. In other cases, you may want to create completely different retention rules for each jurisdiction. There’s no right way to do it. You use whatever approach works best. In some cases, you may combine them.
Managing Multi-Jurisdiction Retention Rules in everteam.policy
Everteam.policy provides the ability to define and manage retention rules for multiple jurisdictions.
To see all the policies for the entire organization, you set the Classification setting to “All.” It will list all the different classifications you have created.
To see the Default classification, you select it from the drop-down list. In the example below, there is a “default” classification that works for the entire company, except the US, which has its own classification for Expense Accounting Monthly reports. For the default (Base) classification, it shows that the retention policy is five years and that, after the five years is over, the asset is deleted.
For the US, the retention needed to be different. Instead of retaining the records for five years, we need to retain them for seven years. So we can edit this policy definition to say seven instead of 5.
Here’s a look at the screen where you can create a record class exception:
When you query the policy, the system will automatically return the appropriate policy value for the jurisdiction specified.
It’s a simple process to manage what can be a complex policy with multiple exceptions. We’ve looked at a difference in retention periods, but there are other rules that can also be different including security, business continuity, and other properties, as well as references to different regulations.
Want to learn more? Request a demo, and we’ll dive into your questions in a personalized demonstration of everteam.policy.