The issues of compliance have come to a head indirectly because of computers, and, in particular, the Internet. The ability to conduct business electronically has arrived. We can contract via email, our partners, suppliers and customers have access to corporate resources, and our own staff can directly access corporate facilities from anywhere in the world.
This surge in technology does not change the underlying legal, regulatory and judicial requirements to be met. It just places new challenges on an organisation. How do we manage all these communication mechanisms? How do we secure the business records created electronically to provide the level of evidence that we had in the paper world?
It may not seem obvious, but the first question to answer is “What are the laws and regulations that I need to comply with?” In some circumstances a company need have no physical presence in a country or region yet may still be subject to its laws.
Having established all the laws and regulations to be met, it is possible to build up the set of required practices, procedures and processes that need to be put in place, and, fundamentally, which records have to be maintained and for how long. The increasing dependence on computers and electronic data means that in order to survive a regulatory investigation, commercial or civil litigation, a criminal investigation, or even survive a criminal attack, organisations must have a properly implemented record capture, storage and retrieval capability.
Record management is the key, because to demonstrate compliance, an organisation must keep appropriate records and be able to present them on demand, in some cases within 24 hours. Even Sarbanes-Oxley section 404, which is widely seen as the application of automated Identity Management and Access Management solutions, requires that the logs and audit trails be maintained to demonstrate that the controls were indeed in place.
Many mistakenly concentrate on the area of records management and retention. For example, a product that claims compliance to SEC regulations by retaining email for two years is missing the point. Regulators make specific demands on what records they want kept and for how long. The law also makes demands, but these demands often will be more onerous than those of the regulators. Two years may satisfy SEC, but the courts require data to be retained whilst there is the possibility of litigation. Failure to do so can lead to serious consequences.
But there is a further, far more challenging issue facing the organisation. Even after identifying all the relevant records and retaining them, how do I demonstrate that these records have not been tampered with. How should they be retained in order to satisfy the apparently competing requirements of data protection, privacy, and evidential weight? And what other requirements does the law place on records?
All regulations are subject to the jurisdiction and requirements of the courts, and it is these that must be met irrespective of the requirements of a specific regulation. This can lead to apparent anomalies, for example a regulation may seem to prohibit deletion of a record during the retention period but the courts have the power to order an incorrect record to be deleted or amended. Typically, retention periods required by the courts are longer than those defined by regulators as the courts require the record to be available until the need for that record expires under the statute of limitations. Regulators only define a retention period to cover the period that they have specific interest in the record.
Regulations tend to focus on which records need to be retained and for how long. Some go further, particular in the Financial Services, Pharmaceutical and Health Care sectors, and address the issues of integrity and authenticity of records in electronic form. This leads to the cornerstone of compliance, be it paper-based or electronic, which is demonstrating evidential weight for records. Evidential weight is a concept that needs to be recognised as part of the discussion on compliance; an organisation needs to be in a position to demonstrate that the records it retains are the actual business records used and none has been added, changed or deleted.
The principles of record management described here for electronic records apply equally well to paper records and it is a common mistake to conclude otherwise. What is significant is that the ability to do business electronically throws up a range of technical issues that need to be addressed in order to give the same level of confidence, of evidential weight, to the record in electronic form. Compliance has always been a requirement for conducting business, but the advent of the computer age and recent high profile corporate scandals have raised the profile.
Compliance should be seen as a cost of doing business.
For further details please send an email to enquiries@kalypton.com.