Big Bucket records retention schedules (RRS) are common practice in the Records and Information Management (RIM) industry. The Big Bucket approach involves grouping records together based on similar business processes and events to the greatest extent possible. Routine records are classified separately. Implementing a Big Bucket approach means that duplication and overlapping between business areas are reduced, resulting in a simplified schedule that will increase adherence and compliance. Many organizations favor this schedule method for many reasons, but mostly because it’s simple. As with any schedule design, Big Bucket schedules can have hang-ups. Lately, RIM professionals have started reviewing their schedules with a focus on privacy. In particular, the upcoming enforcement of the European Union (EU) General Data Protection Regulation (GDPR). The regulation generally requires that personally identifiable information (PII) be retained for no longer than needed. In addition, many international jurisdictions have passed laws requiring certain types of PII be retained no longer than a defined period.
When organizations review retention periods with privacy in mind, a common knee jerk reaction is to think the Big Bucket approach is too big. How can we possibly satisfy all the legal/privacy requirements and restrictions, as well as operational and business needs with one single retention period?
Fear not. I am here to tell you that the Big Bucket approach will survive. It is still the best retention schedule approach available, but there’s room for improvement when it comes to privacy. Here are a few strategies to address privacy for your Big Bucket RRS:
- Privacy Mapping: Scrutinize your record series and identify records with personally identifiable information (PII). Consider evaluating them through a risk analysis by focusing on those record series with highest privacy risks (think employee and customer PII, for example). Be sure your analysis includes functions, record series, and specific records that contain personally identifiable information (PII). You’ll likely need to engage with stakeholders within your organization to accomplish this.
- Collection Purpose Review: As part of your analysis, try and gain an understanding of how or why that PII is used. This information will help you assess retention periods.
- Review Legal Requirements & Restrictions: RRS retention periods used to be about how long you should keep records. Now, an equally important part of that analysis considers how quickly PII records should be disposed of. When working through your Big Bucket approach, be sure to consider how you need to dispose of these records and implement a plan for how to do so.
With information gathered through steps 1-3, you can begin to review whether the current retention periods are reasonable. Read more about how you can address record series that pose problems: https://www.zasio.com/is-the-big-bucket-retention-schedule-dead-in-the-age-of-privacy/
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Author: Jennifer Chadband, Senior Analyst at Zasio Enterprises, Inc.