How Long Do You Keep Outdated Vendor Data and Information?

Organizations will always have information they need to manage. Organizations have tons (literally…) of paper they deal with and terabytes of digital information they manage every day. In every technical discussion on the subject I have ever participated in, the question always arises, “How long do we have to maintain this information?” Fair question.  

Both paper and digital data must be physically stored and both types of storage have a cost. While paper tends to have a fix cost to store, digital has a variable cost structure for storage. Typically, the more digital storage medium you purchase the lower the cost per terabyte. The question remains, “how long do we actually have to keep this information/data?” The answer to that question lies in your organization’s RIM (Records and Information Management) program.  

Your third-party risk management program is a big part of any RIM program. Think about all of the due diligence, contracts and risk assessments you have and will compile over the course of a year and you will see RIM is a significant undertaking. 

Key Records Information Management Functions

Records Information Management is an enterprise-level program that performs several key functions for the organization.

Some of the most important include: 

• Defining the length of time any information or documentation must be maintained by the organization  

(Note: RIM defines the legal duration in which information or documents must be retained in some form by determining local, state, and federal requirements for document retention. The specific length of time varies by city, county, state and federal government guidelines as well as any legal restrictions that may apply)

• Identifying the various types of information, IRS tax records, corporate board minutes, etc. 
• Classifying information as public, private, sensitive, confidential, etc.
• Categorizing who should have access to the information
• Describing the roles and responsibilities for the information
• Specifying the manner and method of disposing of the information 

How to Successfully Set up a Vendor Records and Information Management Program

For any RIM program to work properly, the organization will need a specific and detailed retention and data management plan. Since record and information management effects every business unit and every employee, it’s advisable to makes sure you check in with your board and senior management. To be successful, the organization’s leadership must not only buy in, but actively support the boundaries the information management program establishes for the organization.

From there, you’ll need to: 

1. Plan. The importance of planning your RIM program carefully cannot be overstated. Any information management program worth its salt has a plan. This is one instance where the old saying, “Plan the work and work the plan” is spot on! Every business unit must participate as does the board and your senior management team. Your technology team will be extremely interested in the development and operationalization of this plan. They’re the team that will have to ensure the confidentiality, integrity and availability of the data and will hold the responsibility for destroying the data at the appropriate time.  

2. Organize. The whole organization must be part of the solution. Every business unit will be involved, and every employee will be affected. How can you organize an entire organization and all the data within? Start with a data flow diagram. Where does your organization’s data come from? Where is it stored? Who has access to the information and how long the data must be stored before its destruction? 

3. Set Compliance Standards. Once your record and information management program is established, your organization will have to determine how to reduce its risk of internal noncompliance. That is, how are you going to ensure everyone in the organization participates in the adventure and sticks to the established guidelines? Your first step in setting up controls should be to engage your internal audit team. They’ll be responsible for periodically checking on the program and determining if it’s following policy and procedure. 

For the most part, the IT team will establish technical controls over the data. They’ll use the tools they have at their disposal to ensure the policy and procedures you establish will be followed.  

The Length of Time to Retain Vendor Records

The specific length of time any information must be retained will depend upon the industry, the state and the federal government. For example, generally, in health care, any time an infant is treated most organizations maintain the infant’s information indefinitely. However, if you treat an adult, each state will have different time frames for maintaining patient information. 

Third-party risk management requires you keep any due diligences and legal documents (contracts, MNDA, et al) for the life of the contract. Then UCCC (Uniform Consumer Credit Code), your state and federal government will weigh in on the length of time you should maintain your vendor records. Of course, when you do business in foreign countries, you’ll have to research their specific data retention requirements. In the event you find conflicting time frames for data retention, always err on the longest timeline under consideration. 

Although the specific time frame for record retention varies, it’s important to highlight that to determine the correct timelines will require both research and determination by your organization on the retention requirements it finds most reasonable.

Dive deeper into third-party risk management and see how to master the process. Download the eBook.