A Modern Governance Strategy for Data Disposal
Today’s CIOs can collaborate with legal and records management professionals to slash IT costs, improve regulatory compliance and reduce risk.
1. Manage all information, not just “records.” The retention schedule must apply to all the data in an organization’s possession, not just information officially classified as “records.” Consider anything and everything—including both structured and unstructured data sources—as either having legal, regulatory or business value or as debris, whether it’s a human resource record, patent filing, financial statement, email message or tweet.
2. Connect legal, privacy and regulatory retention obligations directly to relevant information. The retention schedule must clearly define how legal, privacy and regulatory obligations apply to all types of information and business users, including what is covered, who is obliged to comply, and how retention obligations, privacy directives and disposal mandates are triggered. Technology solutions may be deployed to help organizations automate the connection of information to retention and disposal requirements.
3. Retention periods must take into account the business value of information in addition to legal and compliance value. This value should be explicitly defined by business stakeholders and made transparent to legal, RIM and IT. Again, technology solutions can help by allowing users to associate information types, such as purchase orders or employee agreements, with specific data sources, such as enterprise cost management and human resources systems, or applications such as Microsoft SharePoint, and to include details on why and for how long the information is and will be of business value.
4. Identify where information is located. Information inventories are a must, describing where data is stored, what record classes apply, who was or is responsible for the content and who manages it. With the help of a reliable “data map,” data stewards can more easily identify information and understand the value and obligations related to that information according to lines of business, departments, and so on.
5. Ensure that retention and disposal obligations are communicated and publicized in a language that stakeholders can understand. This involves two key elements: defining what is required of data users when creating and identifying information, and defining the responsibilities of data stewards related to the disposition of information. For example, IT won’t be able to make sense of a disposition directive that states, “Comply with record class HUM100.” Translated more clearly, this directive might state, “Job applications created by HR users and stored in the HR shared drive must be permanently deleted 10 years after the termination of the employee.” Clarity invites compliance.
6. Allow for flexibility to adapt to local laws, obligations and limitations. The retention schedule must be flexible enough to incorporate “local” insight into the policies and procedures driving retention and disposal. To assist with this, technology solutions can be used to catalog all the specific laws and regulations in applicable regions so that various jurisdictional exceptions and changes can be communicated to relevant stakeholders.
7. Include a mechanism that allows legal and IT to collaborate in executing and terminating legal holds. No retention schedule can achieve the goal of defensible disposal without clear communication between legal and IT stakeholders regarding what specific information is on legal hold, and when holds can be released. Legal departments should be able to easily collaborate with IT to identify relevant corporate data and both set in motion and terminate legal holds.
8. Identify and eliminate duplicate information. Confusion about what exactly needs to be retained and for how long can encourage a tendency to “save everything,” which is a bad information management habit, especially as some privacy laws—the Health Insurance Portability and Accountability Act in the United States and the Data Protection Directive in the European Union, for example—actually require the deletion of certain types of information after a period of time. With a clear and transparent retention schedule, there’s no need to keep duplicate information “just in case.”
9. Update in real time to account for changes in laws, to the business and in technology. With global regulatory, legal and privacy requirements constantly evolving, it’s vitally important to stay ahead of changes and incorporate new requirements into the retention schedule. Technology can assist with alerts and automation that communicates to systems and data stewards when adjustments are needed.
Shepherding Information Through Its Useful Life Cycle
CIOs have an important role to play in efficiently and cost-effectively shepherding the flow of corporate information through its useful life cycle while finding a way to “release the pressure valve” when the legal, regulatory or business value of information has come to an end. A modernized retention schedule that drives defensible disposal will help IT work with legal, RIM and business stakeholders to improve compliance, enhance operational agility, save money and reduce risk.
About the Author
Lorrie Luellig is of counsel, Ryley Carlock & Applewhite, PC, Information Governance, and faculty member of the Compliance, Governance and Oversight Council (CGOC). She currently leads the Electronic Discovery Reference Model/Information Governance Reference Model Corporations subgroup and the CGOC Records and Information Management working group.