Keep your document collaboration compliant

I posted an article last week at CMSWire on 3 Ways Document Collaboration is Becoming More Social. I don’t want to rehash the details here, but rather build on what I said there to consider some of the compliance implications of managing documents more collaboratively, which can be serious, particularly for organizations in regulated, compliance-driven industries like financial services, insurance, banking, or pharma.

In the article, I talked about three ways I think document management will get more collaborative in the next 18 – 24 months:

• Some documents will no longer be documents at all – we’ll stop using documents to do those things that are better accomplished with social collaboration tools, whether because the information in these documents has a short useful lifespan or because it would benefit from the fluidity that social collaboration tools provide.
• Some documents will no longer begin their lives as documents – we’ll create some documents as other kinds of content (e.g., wikis, conversation threads, blogs) and then migrate them to documents at a certain point in their lifecycle (e.g., major draft versions, final published version).
• Some documents will remain documents throughout their lifecycle, but how they get created and shared will change – even when we’re doing good old-fashioned document management from cradle to grave on a document, we’ll begin creating and sharing that document in new ways.

What I want to discuss here are some of the compliance implications of these shifts, because while there’s a tremendous amount of excitement about social media and collaboration tools for the enterprise, there’s not a whole lot of talk about how to remain compliant while using them.

1. Just because it’s not on your retention schedule, doesn’t mean you don’t have to manage it

At many organizations, records management (RM) hasn’t yet caught up to the new reality of content types enabled by social media and collaboration tools. Wikis, blogs, discussion threads, tags–many RM offices haven’t yet determined how to fit these new types of content into their existing retention schedules. Or, based on advice from legal, RM has decided to keep these channels off the retention schedule to discourage folks from transacting corporate business on them.

However, at these organizations, there’s likely a strong disconnect between what’s on the retention schedule and what folks are actually doing (or between legal’s prohibition of social media and collaboration tools for business activities and how employees in the trenches actually work). If this is the case, simply living up to the letter of the law–in this case, an out-of-step retention schedule or corporate policy–won’t cut it. The gaps between policy and practice pose significant risk to social media and collaboration end-users and the organization as a whole.

2. Just because it’s on your retention schedule, doesn’t mean you’re “covered” from a compliance perspective

So maybe you think you’re out of the woods because you happen to be at one of those organizations that are ahead of the curve and have incorporated social media and collaboration content types into their retention schedule–think again. Having a retention schedule is very different from enforcing that schedule. Even if RM says that wikis should be retained for X years, doesn’t mean that anyone (in RM, IT, or anywhere else) is actually following that schedule. And the problem usually isn’t retention, but disposition: all things being equal, electronic content is typically kept forever at an organization. So despite being listed on the retention schedule, content generated by social media and collaboration tools still often poses serious risk to the organization through over-retention.

3. As far as compliance is concerned, you should approach social media and collaboration content like you already approach other kinds of content

You may be saying to yourself, “everything he’s saying seems to be the case for any kind of content, not just content associated with social media and collaboration.” You’re right, and that’s one of the main things I try to hammer home at clients, speaking events, in the check-out line at the grocery store–anywhere people will listen to the ravings of an impassioned ECM practitioner: content is content, whether it lives on a shared drive, in a fully featured ECM document management system, or in a social media tool like Jive–you still need to consider the compliance implications of that content. Judges, regulators, auditors, and the like will not give certain content a pass because it was created in a collaboration tool. Your best bet is to stop associating content with the repository or tool that it lives in (or that created it) and start considering how it’s used as part of business processes…this is a far better indicator of how you need to handle it from a compliance perspective.

The final word

In the end, the compliance impact of managing documents using social media and collaboration tools comes down to:

1. Making sure RM and legal are not only on the same page about the content created by social media and collaboration tools, but in touch with the reality of how folks work
2. Evaluating the content created by social media and collaboration tools just like you do any other corporate content…and then handling it accordingly.

It can’t be given a pass simply because it’s a new trend that’s difficult for RM and legal folks (or for that matter many folks over 30!) to understand.

Although we didn’t go into the nitty-gritty details here (like the impact of specific regulations on social media), hopefully this provided some food for thought to take back to your organizations to get the conversation started.