A Modern Governance Strategy for Data Disposal

By Lorrie Luellig

Today’s CIOs face a host of complex challenges. Their departments must continually find more efficient ways to store, process and analyze massive (and growing) volumes of incoming data. They need to support globally distributed enterprises, including internal staff, external partners, customers, facilities and other assets around the world. More data in more places also means more risk, as legal, regulatory and privacy obligations increasingly apply to all types of electronic information, including email messages, texts, tweets, phone call records, customer data, blog posts . . . the list goes on.

What used to be solely the domain of records management and legal departments is now yet another responsibility for IT, as information experts are asked to identify and protect data that has business, legal or regulatory value, while facilitating the defensible disposal (i.e., deletion) of everything else. This is a critical task—the elimination of “data debris” can have a dramatic impact on compliance, corporate risk and the bottom line.

Most Corporate Data Unnecessarily Ties Up IT Resources 

At the 2012 Compliance, Governance and Oversight Counsel (CGOC) Summit, a survey of corporate CIOs and general counsels found that, typically, 1 percent of corporate information is on litigation hold, 5 percent is in a records-retention category and 25 percent has current business value. This means that approximately 69 percent of the data most organizations keep can—and should—be deleted.

Less IT budget spent on unnecessary storage, servers and backup means that more resources can go to strategic investments. Less information to manage means that legal and regulatory responses can be handled more efficiently and with fewer errors. And less waste overall allows corporations to return more profit to shareholders.

Unfortunately, confusion often exists about what data needs to be kept. More than 100,000 international laws and regulations are potentially relevant to Forbes Global 1000 companies—ranging from financial disclosure requirements to standards for data retention and privacy. Additionally, many of these regulations are evolving and often vary or even contradict one another across borders and jurisdictions.

To achieve defensible disposal, stakeholders from IT—who are stewards of the data—must collaborate more closely and transparently with records and information management (RIM), legal and business units to build an information retention and disposition strategy that makes sense in today’s global, complex and digitally driven enterprise.

The Role of a Retention Schedule in Enabling Defensible Disposal

A retention schedule provides a framework for RIM and legal departments to organize corporate records and information, and detail the length of time that such records must be retained for compliance and business needs. It’s an important tool, but a dated one. It was devised in an era where paper records were the norm and IT departments didn’t need to concern themselves with legal holds or retention policies, for example. The legal and regulatory landscape has since changed dramatically. Today, the vast majority of information that needs to be either preserved, retained or deleted is under the direct responsibility of IT.

Here’s the problem: IT often lacks the legal and regulatory insight to link compliance obligations to the thousands of applications, databases and other repositories it manages. Legal and RIM professionals possess the knowledge to set retention and disposal policies, but don’t have a holistic view of the IT infrastructure needed to identify where relevant data is, nor the ability to dispose of electronic information that’s no longer of value.

Clearly, a more modern, broadly useful and executable retention schedule approach is necessary—one that recognizes the shared responsibility for information management and defensible disposal among legal, RIM and IT departments. In such an environment, all stakeholders would have insight into the flow of information throughout the enterprise and be armed with the right policies, processes and tools to protect what’s important for business, legal and regulatory purposes. Only then can valueless data be disposed of at the right time.

Making It Work in the Real World

A modern and executable retention schedule supports the goal of defensible disposal and guides the roles of business, legal, RIM and IT stakeholders in the process. The key elements that must be incorporated for a retention schedule to work in a real world enterprise are: