A Modern Governance Strategy for Data DisposalBy Lorrie Luellig
A Modern Governance Strategy for Data Disposal
By Lorrie Luellig
Today’s CIOs face a host of complex challenges. Their departments must continually find more efficient ways to store, process and analyze massive (and growing) volumes of incoming data. They need to support globally distributed enterprises, including internal staff, external partners, customers, facilities and other assets around the world. More data in more places also means more risk, as legal, regulatory and privacy obligations increasingly apply to all types of electronic information, including email messages, texts, tweets, phone call records, customer data, blog posts . . . the list goes on.
What used to be solely the domain of records management and legal departments is now yet another responsibility for IT, as information experts are asked to identify and protect data that has business, legal or regulatory value, while facilitating the defensible disposal (i.e., deletion) of everything else. This is a critical task—the elimination of “data debris” can have a dramatic impact on compliance, corporate risk and the bottom line.
Most Corporate Data Unnecessarily Ties Up IT Resources
At the 2012 Compliance, Governance and Oversight Counsel (CGOC) Summit, a survey of corporate CIOs and general counsels found that, typically, 1 percent of corporate information is on litigation hold, 5 percent is in a records-retention category and 25 percent has current business value. This means that approximately 69 percent of the data most organizations keep can—and should—be deleted.
Less IT budget spent on unnecessary storage, servers and backup means that more resources can go to strategic investments. Less information to manage means that legal and regulatory responses can be handled more efficiently and with fewer errors. And less waste overall allows corporations to return more profit to shareholders.
Unfortunately, confusion often exists about what data needs to be kept. More than 100,000 international laws and regulations are potentially relevant to Forbes Global 1000 companies—ranging from financial disclosure requirements to standards for data retention and privacy. Additionally, many of these regulations are evolving and often vary or even contradict one another across borders and jurisdictions.
To achieve defensible disposal, stakeholders from IT—who are stewards of the data—must collaborate more closely and transparently with records and information management (RIM), legal and business units to build an information retention and disposition strategy that makes sense in today’s global, complex and digitally driven enterprise.
The Role of a Retention Schedule in Enabling Defensible Disposal
A retention schedule provides a framework for RIM and legal departments to organize corporate records and information, and detail the length of time that such records must be retained for compliance and business needs. It’s an important tool, but a dated one. It was devised in an era where paper records were the norm and IT departments didn’t need to concern themselves with legal holds or retention policies, for example. The legal and regulatory landscape has since changed dramatically. Today, the vast majority of information that needs to be either preserved, retained or deleted is under the direct responsibility of IT.
Here’s the problem: IT often lacks the legal and regulatory insight to link compliance obligations to the thousands of applications, databases and other repositories it manages. Legal and RIM professionals possess the knowledge to set retention and disposal policies, but don’t have a holistic view of the IT infrastructure needed to identify where relevant data is, nor the ability to dispose of electronic information that’s no longer of value.
Clearly, a more modern, broadly useful and executable retention schedule approach is necessary—one that recognizes the shared responsibility for information management and defensible disposal among legal, RIM and IT departments. In such an environment, all stakeholders would have insight into the flow of information throughout the enterprise and be armed with the right policies, processes and tools to protect what’s important for business, legal and regulatory purposes. Only then can valueless data be disposed of at the right time.
Making It Work in the Real World
A modern and executable retention schedule supports the goal of defensible disposal and guides the roles of business, legal, RIM and IT stakeholders in the process. The key elements that must be incorporated for a retention schedule to work in a real world enterprise are:
A Modern Governance Strategy for Data Disposal
1. Manage all information, not just “records.” The retention schedule must apply to all the data in an organization’s possession, not just information officially classified as “records.” Consider anything and everything—including both structured and unstructured data sources—as either having legal, regulatory or business value or as debris, whether it’s a human resource record, patent filing, financial statement, email message or tweet.
2. Connect legal, privacy and regulatory retention obligations directly to relevant information. The retention schedule must clearly define how legal, privacy and regulatory obligations apply to all types of information and business users, including what is covered, who is obliged to comply, and how retention obligations, privacy directives and disposal mandates are triggered. Technology solutions may be deployed to help organizations automate the connection of information to retention and disposal requirements.
3. Retention periods must take into account the business value of information in addition to legal and compliance value. This value should be explicitly defined by business stakeholders and made transparent to legal, RIM and IT. Again, technology solutions can help by allowing users to associate information types, such as purchase orders or employee agreements, with specific data sources, such as enterprise cost management and human resources systems, or applications such as Microsoft SharePoint, and to include details on why and for how long the information is and will be of business value.
4. Identify where information is located. Information inventories are a must, describing where data is stored, what record classes apply, who was or is responsible for the content and who manages it. With the help of a reliable “data map,” data stewards can more easily identify information and understand the value and obligations related to that information according to lines of business, departments, and so on.
5. Ensure that retention and disposal obligations are communicated and publicized in a language that stakeholders can understand. This involves two key elements: defining what is required of data users when creating and identifying information, and defining the responsibilities of data stewards related to the disposition of information. For example, IT won’t be able to make sense of a disposition directive that states, “Comply with record class HUM100.” Translated more clearly, this directive might state, “Job applications created by HR users and stored in the HR shared drive must be permanently deleted 10 years after the termination of the employee.” Clarity invites compliance.
6. Allow for flexibility to adapt to local laws, obligations and limitations. The retention schedule must be flexible enough to incorporate “local” insight into the policies and procedures driving retention and disposal. To assist with this, technology solutions can be used to catalog all the specific laws and regulations in applicable regions so that various jurisdictional exceptions and changes can be communicated to relevant stakeholders.
7. Include a mechanism that allows legal and IT to collaborate in executing and terminating legal holds. No retention schedule can achieve the goal of defensible disposal without clear communication between legal and IT stakeholders regarding what specific information is on legal hold, and when holds can be released. Legal departments should be able to easily collaborate with IT to identify relevant corporate data and both set in motion and terminate legal holds.
8. Identify and eliminate duplicate information. Confusion about what exactly needs to be retained and for how long can encourage a tendency to “save everything,” which is a bad information management habit, especially as some privacy laws—the Health Insurance Portability and Accountability Act in the United States and the Data Protection Directive in the European Union, for example—actually require the deletion of certain types of information after a period of time. With a clear and transparent retention schedule, there’s no need to keep duplicate information “just in case.”
9. Update in real time to account for changes in laws, to the business and in technology. With global regulatory, legal and privacy requirements constantly evolving, it’s vitally important to stay ahead of changes and incorporate new requirements into the retention schedule. Technology can assist with alerts and automation that communicates to systems and data stewards when adjustments are needed.
Shepherding Information Through Its Useful Life Cycle
CIOs have an important role to play in efficiently and cost-effectively shepherding the flow of corporate information through its useful life cycle while finding a way to “release the pressure valve” when the legal, regulatory or business value of information has come to an end. A modernized retention schedule that drives defensible disposal will help IT work with legal, RIM and business stakeholders to improve compliance, enhance operational agility, save money and reduce risk.
About the Author
Lorrie Luellig is of counsel, Ryley Carlock & Applewhite, PC, Information Governance, and faculty member of the Compliance, Governance and Oversight Council (CGOC). She currently leads the Electronic Discovery Reference Model/Information Governance Reference Model Corporations subgroup and the CGOC Records and Information Management working group.