Gimmal Blog

Read the latest thought leadership and industry news from the experts at Gimmal!

All Posts

6 Questions for Companies and their SharePoint Compliance Plan

An article from Silicon Republic covers some important questions that all companies dealing with data should be aware of. We’re going to discuss their importance to an overall SharePoint compliance plan. Cybersecurity and information governance are inextricably linked. Directors in all organizations must be aware of the impact that they have on one another.

As more pieces of a business become connected, both internally and externally, the risk of a data breach increases.

As with other business challenges, the proactive approach is always the preferred method. Creating a detailed SharePoint compliance plan that involves all departments and the various types of potential risks is the best way to ensure a secure data environment. The reliance on data storage and the transmission of sensitive records presents many opportunities for risk. Below are 6 important questions that all directors need to consider.

  1. Are we being transparent? The organization needs to be transparent about how they are obtaining data and where (and for how long) that data is being stored. The data also needs to be accessible to those who require it in a safe and traceable system.
  2. Do we have consent? Sensitive information should require consent from all parties to be obtained and stored. It should also be disposed of properly and in line with the overall information governance strategy.
  3. How long are we retaining data for? One of the tenants of a complete compliance plan and information governance strategy is the defensible disposition of data when appropriate. The company should always refer to current local, state, federal and industry regulations when constructing a retention schedule.
  4. Are we collecting unnecessary data? Data should only be collected when critical to the business. Trivial or obsolete data can pose a storage and compliance issue if not handled correctly.
  5. Are we keeping the data secure? Appropriate security measures are critical to every organization’s overall compliance plan and must be a priority even for non-records. The up-front cost of properly securing data pales in comparison to the cost of a data breach.
  6. Are we giving the data to third parties? Any time data is being sent outside of the organization is important to understand how that data will be treated. Your organization can end up in just as bad of a situation if your data that resides with a third party is breached. Your data remains your responsibility regardless of where it lives.

Overall, when considering a SharePoint compliance plan these important questions must be asked first and buy-in from all departments must be obtained. Information governance requires cooperation throughout the entire organization and CIOs and the records management team must lead these efforts. To truly be compliant, the records management capabilities of SharePoint out-of-the-box fall short.

Related Posts

Creating a Framework for Classification

This is Part 2 in a series about creating and executing an effective file plan for your organization. Click here to read the previous post: Creating a Retention Schedule that Works.

3 Tips to Ensure KORA Compliance

There has been a spotlight on the Kansas Open Records Act (KORA) in the media lately, largely due to recent violations. Under KORA, any individual can request public records from government bodies. If all requested records are not provided within in a specific timeframe, these organizations are subject to significant repercussions. This is merely one example of a ‘sunshine law’. The purpose of sunshine laws is to provide transparency into government agencies by giving the public access to local government proceedings.

Creating a Retention Schedule that Works

Creating a usable, automated, and simple file plan is an important part of ensuring records are managed in a consistent manner and that you are protected from legal risks, such as failure to disclose information during a discovery proceeding or the unauthorized leakage of information. The first step in the process is creating a retention schedule, which outlines how long records are kept in accordance with the organization’s obligations and the law.