When a global financial technology deployment and management provider sought to migrate its systems to Office 365, its general counsel recognized an opportunity to establish a records retention policy and assess information governance maturity.
The company engaged FTI Technology’s Information Governance, Privacy & Security (IGP&S) practice to review, assess and advise on the organization’s privacy, security, IT, records, legal and regulatory risks and practices. In a matter of months, FTI Technology’s experts created and implemented a robust records retention program inclusive of regulatory and business requirements across eight countries in five continents.
The client had grown significantly through global acquisitions, and as a result had numerous geolocations spread across eight unique jurisdictions, all operating as separate entities. Each region had its own systems, culture, processes, regulations and requirements to consider in the broader scope of the organization’s IG risk and records retention schedule. Its enterprise records management was ad hoc and siloed and lacked a formalized retention plan, legal hold policy and IG framework.
In order to create a records retention program, the team would need to first understand key business components and units, as well as the legal and regulatory requirements specific to each jurisdiction. Given the disparate nature of the company’s operating structure, identifying stakeholders and interview subjects was a significant challenge. Roughly 80 stakeholders in 14 business units were identified as relevant to the initiative.
FTI Technology moved quickly to conduct stakeholder interviews, determine the organization’s record series and identify which business processes would be included in the records retention schedule. Working with interviewees and key stakeholders, the team identified proposed retention periods for each record series varying data sources and identified which units might struggle with the recommended retention parameters.
Using a SaaS-based application, the team initially determined 50 record series, and eventually expanded that to 88. Retention for 49 of the record series were dictated by a specific regulatory or legal obligation, but for the remaining 39, FTI Technology collaborated with the client to set retention based on business needs and best practices. In addition to creating a robust record retention schedule for the client’s operations in the U.S., U.K., Australia, Canada, Germany, India, Mexico, South Africa and Spain, the team also delivered:
- Retention rules in accordance with unique jurisdictional requirements and recommendations for whether laws in one region would dictate retention across the entire organization.
- A global records retention policy for the organization and a procedure to implement within its new Microsoft 365 deployment.
- Communication and training plans to enable a sustainable retention schedule and compliance with the new policy.
- A data inventory map and guidance for establishing a true system of record.
- Management of and collaboration with the third-party SaaS provider.
- A detailed IG and global data privacy gap assessment that illustrated the risks relating to the client’s use of disparate systems and processes and lack of standardized legal hold practices. The assessment included recommended remedial initiatives and a roadmap with estimated costs for subsequent phases.
- Support for longer-term data remediation efforts.
- In-depth reporting via a visual dashboard to provide the client with weekly communication and updates regarding the project workstream, progress and budget.