Technology and IT is deeply integrated into all areas of business operations, which begs the question who is responsible for maintaining certain policies?
There are those who believe that IT is responsible for certain policies since they are so uniquely involved with technology solutions, while others may feel that this should be a legal matter and left in the hands of those in charge of compliance and strategy. This second idea implies that the IT department is solely responsible for the implementation of the technical aspect that is required in order to support the policy and not the policy itself.
Most organizations that we work with aren’t sure about proper data retention policies and who to seek guidance from. Confused? Well, here’s an example we run in to. At Enable, organizations will often ask us questions like, “What is the standard length of time or the best process for how long former employee accounts should remain active and accessible?” and “How long should we hold on to former employee files?”
The short answer: “it depends.” And while we do understand why you want to ask your IT team this question, they probably are not the right people to answer it.
We know, we know, it’s frustrating! But the reality is that deep down these really are not technology-based questions and shouldn’t be answered by technology professionals. Rather, these questions lean towards the legality side of business and require considerations from advisors and team members in the legal arena. The unique answers to these types of questions depend upon the individual characteristics of the organization that is asking the question, their unique business or industry type, any pertinent regulations overseeing their operations, their specific procedures and history, and any other potential legal risks or concerns.
IT vs. Legal
To ensure adequate protection, business leaders need to seek wise legal counsel when addressing issues concerning data retention and other items. This is absolutely crucial when it comes to privacy, security, harassment allegations, and data integrity. These issues are a growing concern in many leadership platforms across all types of organizations.
The need for well-thought-out policies is high in other areas besides data retention, including:
- PCI and payment information
- Employee and customer data
- Acceptable use policies
The common thought process is that PCI is a technology problem and IT is responsible for technology. Therefore, shouldn’t they take the responsibility when it comes to PCI compliance? This idea promotes that IT should be responsible for implementing the policies since IT also implements the technical aspect that keeps policies protected.
However, PCI is about maintaining compliance — what should be done, in what situations, who’s going to do it, and for how long? So, the responsibility falls to the role who can take the lead in addressing the issues of legal compliance and risk management — not the IT professional.
At Enable, we aim to be as helpful as possible to our clients. Advising them on the many aspects of technology is simply part of the job description for a comprehensive technology partner. Therefore, we always advise our clients to seek out individualized legal counsel first regarding the issues we’ve discussed this far, like data retention for former employee accounts, email, and documents. Your legal counsel is skilled in understanding and evaluating the intricacies of your organization, its history, circumstances, legal requirements, any challenges, and specific vulnerabilities
While a qualified IT company will understand industry practice and the specifics of certain regulations and laws, they are not positioned to advise their clients on the details of individualized policy-related compliance and the legal “fine print.” We commonly advise our clients on the technical aspects of enabling compliance-related issues, with the understanding that it is in our clients’ best interest to retain the responsibility for developing and owning the policies. Once an organization establishes its policies and guidelines, our role is to carry out the technical structure and provide solutions that enable the organization to follow and comply with the stated policy.
Our Advice? Get Advised.
The key takeaway: It’s quite simple. Business leaders and their legal advisors develop and define appropriate compliance policies; the IT team activates and supports the implementation of those policies.