The best way to ensure compliance with any policy is to enact consequences for noncompliance and then communicate it to everyone else. (Hopefully, people noticed the recent report that Kaiser Permanente terminated 15 employees for violating the company’s privacy policy. That is a “best” practice.)

Records policies are the most critical policies a company has. The legal and financial risks for lapses dwarf any other policy that could possibly exist.

Putting privacy and records management policies at (or above) the level of harassment, discrimination and ethics policy is long overdue.  Until there are real consequences for violating a policy it is going to be difficult to get employees to comply.  So the corporation will pay the legal, operational and financial price for being lax.  It’s completely unnecessary and easy to fix.