William Saffady is an independent records management and information governance consultant and researcher. He is the author of over three-dozen books and many articles on records management, record retention, document storage and retrieval technologies, and other information management topics. 

His latest book is Information Compliance: Fundamental Concepts and Best Practices, to be published by Rowman & Littlefield in June 2023. My interview with him about this title is below.

1. Will you briefly summarize Information Compliance: Fundamental Concepts and Best Practices?

The book surveys and explains legal and non-legal compliance requirements for creation, collection, storage, retention, retrieval, disclosure, protection, and ownership of information. While compliance in general is discussed in thousands of books, journal articles, conference papers, web sites, and other sources, few publications consider compliance requirements that are specific to information, and those that do are generally limited to legal and regulatory mandates. This book takes a broader approach that recognizes the complexity of information compliance. It discusses compliance requirements that are specified in laws, regulations, contracts, standards, industry norms, and an organization’s code of conduct and other internal policies. It also considers compliance with social and environmental concerns that are impacted by an organization’s information-related policies and practices. 

2. Why did you decide to write this book?

When I first started in records management in the early 1970s, professional practice emphasized the destruction of obsolete information to reduce the amount of valuable office space occupied by inactive records. That is what brought records management to prominence as a professional discipline in the 1950s. The transition to electronic recordkeeping has pretty much put an end to that line of thinking. There is much less concern now about record retention as a space-saving methodology. Over the last several decades, the focus has shifted to ensuring that information is retained for the time required to satisfy legal mandates. I see this trend every day in my consulting practice. Legal and regulatory requirements for retention and disposal of information are the most widely discussed compliance concerns, but they are not the only ones. An organization may be contractually obligated to keep or destroy information in specific situations. Standards and norms provide compliance guidance for information maintained by certain industries and professions. In many organizations, codes of conduct mandate compliance with internal policies for retention and disposal of information.  And finally, an organization’s internal policies may be guided by societal compliance requirements. This is in keeping with the so-called ESG movement, which calls for organizations to incorporate environmental, social, and governance considerations into their business initiatives.

3. How do information risk management and information compliance relate?

Compliance is one the components of the so-called GRC framework, which integrates three widely discussed elements of organizational strategy, the other two being governance and risk. The compliance and risk management functions have closely aligned responsibilities. Compliance is concerned with an organization’s adherence to legal and non-legal mandates. Risk is concerned with the adverse consequences of noncompliance. Compliance violations expose an organization to the risk of fines, penalties, and other disciplinary actions that are costly and disrupt specific business operations. Noncompliance with legal and regulatory mandates can also lead to increased scrutiny by government authorities and, in extreme cases, criminal prosecution.

Additionally, this book is intended as a companion to my book entitled “Managing Information Risks: Threats, Vulnerabilities, and Responses,” which was published by Rowman and Littlefield in 2020.

4. Who is the intended audience?

The book is for compliance officers, information governance specialists, risk managers, attorneys, records managers, information technology managers, and other decision-makers and analysts who need to understand and comply with legal and non-legal requirements that apply to an organization’s information assets.  It can also be used as a textbook by colleges and universities that offer courses in compliance, risk management, information governance, records management, or related topics at the graduate or advanced undergraduate level. In particular, the book may be useful for a curriculum that combines compliance with information governance, information risk, records management, information science, health informatics, and other information-related subjects.

5. What do you hope readers take away? 

Compliance is a multi-faceted concept that affects every aspect of information processing and management: creation and collection of information, retention and disposition of information, storage and preservation of information, access to and disclosure of information, security and protection of information, and ownership of information. 

6. What changes to information compliance do you see in the future?

Changing regulations bring new compliance requirements. There is growing interest in environmental and social considerations that impact information-related operations and activities. For the most part, these considerations relate to ethical and sustainability issues.