Compliance is a crucial part of every industry. From international quality standards to local privacy laws, Australian businesses must maintain strict adherence to a wide spectrum of different regulations. In some sectors, compliance directly influences information flows and even the physical work environment. In others, it is more of an afterthought, attended to only in the event of an official inquiry.
Whatever the specific case may be, compliance remains intimately linked to information management. Good information management solutions not only help businesses stay compliant, but allow them to prove their compliance to regulators quickly and easily. Weak information management systems, on the other hand, can leave organisations exposed to the devastating financial, legal and reputational costs of non-compliance.
The primary concern at the intersection of information management and compliance is that documents must be retained for the minimum amount of time stipulated by legislation. These time periods differ depending on the type of document, and can range from a few years to several decades. According to a study conducted by Applied Research 96% of Australian and New Zealand organisations believe in the value of a formal information retention plan, but only 50% have one. Without properly resourced information management, data lifecycles can be unreliable at best and non-existent at worst — resulting in serious compliance violations due to misplaced or incorrectly destroyed information.
Improperly stored or secured client data can also be fertile territory for non-compliance. “Any business that stores or uses consumers’ private information needs to be mindful of the large influx of litigation regarding data breaches,” says Stephen Heath of Heath & Steinbeck, LLC. “While larger institutions are the obvious targets for class-action attorneys, it’s ideal for an emerging startup to ensure compliance from the outset.” A contributing factor to the severity of breaches and resulting litigation is the size of an organisation’s archives. The more data that is retained, the more that can be compromised, and the greater the legal backlash. According to a Ponemon Institute study released in 2016, the average cost to a company per record breached is AU$142 in damage-control and customer churn alone.  If civil or criminal litigation follows due to non-compliance, the cost can be many times higher.
This is an important point to note for organisations that may have been practicing infinite retention in an attempt to simplify their information management processes. There is a common perception that keeping every single document is a way to avoid compliance problems and minimise the time and money spent on curating data. However, as well as the legal liability mentioned above, infinite retention can make compliance harder to prove due to disorganised indexing and general difficulty in locating critical information. In this way, over-retention can be just as problematic as premature destruction.
Excessive retention can also cause more direct compliance problems. Amendments to the Privacy Act in recent years now mean that organisations retaining the personal data of employees and clients beyond the expiry of its primary purpose are doing more than unnecessarily cluttering their archives — they may also be breaking the law. In research conducted in April of 2017, we spoke to one Australian mortgage broker (who wishes to remain anonymous) that was retaining a full 30 years of data. Given the type of information that mortgage brokers deal in, this likely meant they had at least 23 years of client information on hand that they could not legally justify.
Discover the solutions in Grace’s FREE in-depth information management report – available exclusively at www.grace.com.au/information/compliance
 Ponemon Institute, 2016 Cost of Data Breach Study: Australia, p. 1.