Record-Keeping 101

In a recent blog, I mentioned how important it is to keep detailed and accurate business records. We lawyers will harp on the importance of having records of certain things as evidence in case someone sues your ass. For myself, a compulsive organizer, I figured I’m pretty much on top of keeping what I need to keep… until I met Lisa Ricciuti. Lisa is a fellow entrepreneur who helps businesses to develop effective information management systems. She sports a couple of Masters degrees in Library & Information Studies, and Archival Studies, plays bassoon like a champ, and has a penchant for craft beer. What follows is a guest blog, penned by her, which will help you to understand why good record-keeping is important, and some tips on how to get yourself started.

Over to you, Lisa!

Record-keeping 101: A Few Basics

With so many things going on as a small business owner it’s easy to let the paperwork pile up.  “I’ll get to it later,” we say, shoving papers into a folder marked “Misc.” or saving documents into a desktop folder named “Important Sh*t.”  Most of the time this “filing system” remains undisturbed until disaster strikes in the form of a lawsuit, deadline, computer crash, virus, or security breach.  Suddenly it’s really important to know what you have, where it’s stored, and how you can access it.

There are laws and regulations setting out minimum recordkeeping requirements – what must be kept, how it must be maintained (e.g. where the data is stored), and for how long. For example, accounting, corporate, and employee records all have different rules. Laws apply to businesses that collect & use personal information of customers, suppliers, and contractors. Limitation periods for lawsuits apply to your business, which will also influence what you keep and for how long you keep it.

A number of options exist, almost all of which can be customized to meet the needs of your business.  For many small business owners, the cost and effort involved to set up a sophisticated recordkeeping system isn’t warranted, but that doesn’t mean that your choices are limited to “save everything” or “do nothing.” Although “doing nothing” may seem tempting at times, it leaves your business open to unnecessary information risks, most of which could be easily avoided by documenting (and implementing) processes & procedures related to your routine business.

The “let’s save everything, just in case!” policy

This type of policy has the potential to be damaging and costly.  On the surface it may seem like an easy and quick way to do what the law requires and your business needs;  however, it is no substitute for managing business records based on sound policies and defined procedures.

First of all, the “Save Everything” policy can never be enforced unless you plan on disabling the delete key.  Unless you’re prepared to do that, you won’t be able to comply with your own policy, let alone enforce it with your staff.

Secondly, saving everything comes with a number of hidden costs that are often not considered, including the price of digital storage.  While the price of digital storage has dropped significantly in the last decade making it seem like an attractive option, there are costs that go along with maintaining and managing it.  The more you keep, the more time and money you’ll spend to back up, restore, and manage the volume you’ve accumulated.  It also makes searching for data more difficult, costing you valuable time.  Additionally, some records must be kept where the business operates, which may limit or prevent off-site or cloud storage.

Thirdly, saving everything makes it really easy to lose track of what’s there.  Just imagine what you would care about in the following scenarios:

  • Hacking or security breach
  • Virus
  • Disaster (physical or digital)
  • Lost/Stolen/Damaged hardware (thumbdrive, laptop, smartphone, tablet, etc.)

If you save everything, how could you know what was compromised?  If you had to do a restore, would you want to restore everything, or just the things that have value for you or your business?

Tips

If you are starting a new business, it may take some time to figure out which types of documents you are creating and how they need to be managed.  Even for established businesses, the influence of mobile work options and new technologies requires many organizations to re-think the best ways to manage documents and information.  Following the tips below will give you a starting point for thinking about your recordkeeping. Even if you decide to call in an information professional, implementing some of these best practices will make it easier (and cheaper) for them to help you.

  • Identify which business records must be made and kept because you need them to operate or they are required by law.  
  • Determine how long each category of business records must be kept in addition to any other recordkeeping requirements such as those related to handling personal information or maintaining data where the business is operated. This is often based on a combination of business need and legal requirements
  • Save strategically. Set rules about when and how you will dispose of records that are no longer useful, even those that only exist electronically.
  • Understand where/how your business is creating records. This includes, but is not limited to: email, social media channels (e.g. Tweets, Facebook/LinkedIn posts, YouTube channels, blogs, etc.) and all paper/electronic documents.
  • Identify core business records, organize them, and know where they are stored. For example documents related to incorporating or registering, contracts, agreements, financial statements & other financial records, professional opinions (e.g. legal/financial), meeting minutes and infrastructure.
  • Develop policies related to records & information management. Enforce them.
  • Standardize naming conventions for documents, folders, and tags (labels). This means everybody names everything the same way.  Communicate this to your staff, or if you work alone, write it down for reference.  Even having everybody record the date the same way can make a big difference.  For example: Vendor – Document Type – Date (MMM/YY) = OfficeMax – Receipt – Mar15. 
  • Define & document core processes & procedures. Records are often created to record a transaction point in a given process.  When processes are streamlined and defined, it makes it easier to identify when a record must be captured to validate/verify the work performed.
  • Devise rules for handling drafts and versioning. Some questions to consider: Will you keep all the drafts and the final version, or just the final version?  How will you track versions as it moves to completion or in collaborative projects?
  • Designate time to deal with the paperwork, even if it’s in an electronic format. This can be a great Friday afternoon project.

Additional resources:

ARMA (Association of Records Managers and Administrators) International

AIIM (Association for Information and Image Management)

Or try searching in your area for an Information Management Professional!

Lisa Ricciuti
Smart Info Management Services
The Deletist Blog
@thedeletistblog
lisa@smartinfomanagement.com

New Anti-Spam Law and your Small Business

For almost every small business, Canada’s new anti-spam law will be a game changer. Unfortunately the changed game will be tedious and more expensive for most of you. It started out as a law to stop people and companies from spamming Canadians with unwanted messages. The way the law turned out, however, is using a hand grenade to get a squirrel out of your bird feeder. It will have a huge impact on the way your company can do its business online.

ImageThe law covers almost any electronic messages you send for business purposes – including email, text messages, and direct messages on social media, but not phone or fax. The basic premise of the law is that businesses must get the recipient’s consent before sending business messages to them. Simple enough, right?

The rest of the law is a rats-nest of exceptions, conditions, and legal grey areas. This blog will map out said rats-nest, without taking too much of the magic out of what I do. Practically speaking, your two main concerns are getting consent to send messages to the recipient, and having the right content in the message itself. That’s what this blog will focus on.

The penalties for businesses that ignore or break this law can reach up to $10,000,000, so it’s kind of a big deal. It’s also an offence to aid someone in breaking this law – so social media marketers, IT, and CRM dudes, beware!

The law will come into effect in three phases:

  • Most parts of the law will be in force on July 1, 2014
  • Parts dealing with the unsolicited installation of computer programs – January 15, 2015
  • Right for individuals to sue for damages caused by spammers – July 1, 2017

In this blog, I’m only going to talk about the parts of the law that come into force this year.

 

 1. Consent

The recipient must actively and voluntarily give consent to you sending them business messages. This consent can be express or implied – which I’ll tackle below. You don’t need consent:

  • from friends and family
  • from employees, representatives, consultants or franchisees of your organization
  • from foreign recipients – though your message must comply with that jurisdiction’s anti-spam laws
  • if you’re
    • answering an inquiry, request, or complaint
    • giving notice of a legal right or obligation
    • giving them factual information about an ongoing relationship like a subscription, membership, or loan
    • providing information about an employment relationship or benefit plan that they’re in
    • delivering updates or upgrades
    • a charity or political party
  • if the message is solely an inquiry about the products or services the recipient provides

 Express Consent

This is when the recipient takes a positive action to approve of you sending them business messages. Once given, express consent remains valid until withdrawn. More on withdrawal below. The guts of express consent are:

  • The message or form asking for consent must:
    • explain why you’re asking for consent
    • give the name of the organization or person seeking consent (or identify who you’re getting consent for, if it’s not you)
    • give valid contact information – including at least one non-electronic means
    • let them know they can unsubscribe at any time
  • If consent was expressly given before this new law, you don’t have to go back and re-confirm
  • The recipient must “opt in” (as in, checking a box), rather than opt out (unchecking a box), or the consent isn’t valid
  • Keep a record of who consented, when, and how – as it’s up to you to show that you got it, not the other way around

 Implied Consent

This is a little trickier, as most types of implied consent have an expiry date. Express consent is more practical for you to get, because it doesn’t expire, and is easier for you to keep track of. That said, if your contacts aren’t big on clicking through links in email, implied consent may still cover you. Implied consent can be found:

  • in an existing business relationship, meaning that you and the recipient have
    • in the past two years,
      • bought, sold, or leased goods, services or land from each other
      • were bound by a written contract with each other
      • bartered goods, services or land with each other, or
    • in the past six months, made an inquiry about doing any of the above
  • an existing non-business relationship
  • if the recipient has published or disclosed their email address, they have not stated that they don’t wish to receive unsolicited messages, and the message is relevant to their business or role

 

2. Content

So once you’ve got consent from all of your adoring fans, and you’re dutifully keeping accurate records of who has consented, your work is still not done. From July 1, 2014 onwards, every business message you send must have certain content, except messages

  • to recipients you have a personal or family relationship with, or
  • which are an inquiry about the business products or services the recipient provides

All of your business messages must contain information that:

  • identifies the sender, or on whose behalf it’s sent
  • sets out contact information for the sender, including at least one non-electronic means
  • has a way to unsubscribe or withdraw consent

The unsubscribe mechanism must:

  • operate at no cost to the recipient
  • allow the recipient to unsubscribe by the same means the message was sent, or give another electronic means to unsubscribe
  • give a link to a webpage that allows them to unsubscribe

Once they unsubscribe, you’ve got 10 business days to take their name off the list, or else.

 

3. Conclusion

Like I said, game changer… though how it changes the game will differ from business to business. There are a few best practices that I’d recommend you start implementing now:

  • Vet your contact lists now to determine who you will need consent from
  • Before July 1, 2014, send a message to your existing mailing lists asking them to opt in, and create a new mailing list of those who do
  • After July 1, 2014, you’ll have to get consent the old fashioned way – by mail, phone, or other non-electronic means
  • Keep records of information showing consent
  • Put together a new email signature that meets the content requirements
  • Build an “unsubscribe” link into your website, and make sure the unsubscribe mechanism works

Most IT service providers should be CASL-compliant by now, and companies like my friends at Response Magic have developed simple and thorough systems to help you colour within the lines. Of course, every business and every situation is different, and applying a general rule is no substitution for consultation with an intrepid lawyer. You know where to reach me if you’ve got questions.

There. I just saved you $10,000,000. You can thank me later.

 

 

Mike Hook
Intrepid Lawyer
http://intrepidlaw.ca
@MikeHookLaw