How to approach data deletion in your records management policy
Many companies are coming to the realization that they have a data problem. Too much data is causing numerous unforeseen problems, both technical and business related. For the most part, technical problems can be overcome by throwing money at them. Not so when it comes to lost worker productivity, bad press from data leakage events, or seven figure legal review bills resulting from eDiscovery over-collections. So when do you know you have a problem? When your staff tells you they can’t meet an overnight backup window or you begin thinking you can make this problem go away by pushing your company data to the cloud. Move your company’s trade secrets and intellectual property, the very assets that give your company a competitive advantage and entrust them to someone else? Not a good idea.
So how are companies addressing their data problem? They are doing so by making Defensible Deletion part of their Information Governance strategy. Defensible Deletion is the practice of purging data according to your Records Management Policy; data that falls outside of regulatory retention requirements, Legal Hold obligations and no longer has business value. Sounds easy, but it is not.
Yes, every company has a Records Retention Schedule, but with the shift away from paper those schedules are rendered useless. In the old days, we had annual paper shredding days. Millennials may be more familiar with cleaning-out your locker on the last day of school. Same concept, throw out the old unwanted stuff to make room for the new stuff. But when it comes to electronic data we have grown accustom to saving everything forever. Furthermore it is extremely difficult to delete stale data or data without current business value when you do not know what lies behind the digital ones and zeroes.
So how do companies go about cleaning up the mess? Successful companies have tossed aside paper-based record retention schedules and gone with fewer more enforceable categories. The naysayers, you know the librarian types, balk at not following the record retention schedule. Ask yourself, are doing any better? Fewer categories does not equate to being out of compliance. It just means that instead of keeping some items for one year and others for two years, that we are going to keep all items for two years. It sounds simple and it is. The key to success is making a decision and then giving IT direction and authority to act on that decision. IT’s inability to address the mess does not stem from lack of technology solutions, it is just that everyone has been to scared to push the delete button. Now we are being forced to.
Do
- form a Data Governance Committee
- simplify your records retention schedule
- delete defensibly
- hire a professional to assist your efforts
Don't
- ignore the problem
- turn this project into a Records Management initiative
- hire a law firm
- let IT go at it alone
- be scared to delete data
Do form a Data Governance Committee
A Data Governance Committee needs to have the authority to create an electronic information retention policy. Employees want to keep data around just in case. They believe it is their data. But it is not. Instituting a deletion policy needs to be handed down from senior management in order to stave off cultural uprising.
Do simplify your records retention schedule
Companies need to collapse their record retention schedules down from thousands of record types to a more manageable subset. Successful companies have chosen 50 or fewer record classifications. For example, setting a retention period for a particular department, business unit or record class.
Do delete defensibly
The last thing you want to do is delete needed content. Institute an enforceable policy and develop a review process for targeted data. Consider data classification as a method for tagging data and using technology to purge data based on meta-data instructions.
Do hire a professional to assist your efforts
Company employees have full-time positions. Most companies would benefit by hiring a consulting firm that has done this before. Consulting firms with experience will have invested hundreds of hours building-out collateral and delivering successful programs. They will be able to share with your firm industry best practices and lessons learned from previous engagements. Lastly, a consulting firm will help build internal consensus, eliminate professional conflicts and bring about a swift conclusion to the project.
Do not ignore the problem
Your data problem is not going to go away. It is only going to get worse. You need to start somewhere. Consider taking a risk adjusted approach. Start with storage locations with the lowest risk data or if you find yourself in a different predicament, the highest risk data. Test your policies and run simulations before actually deleting data.
Do not turn this project into a Records Management initiative
A common mistake is for companies to task records managers with solving the problem. Record managers’ autoresponse will be to eliminate file shares and place all data in a content management solution or worse, a collaboration solution. First, it is impractical, and second, this not a records management problem. It is a data explosion problem. Seventy five percent of your content is referential data, not official corporate records. Therefore, manage the data in-place.
Do not hire a law firm
Your company’s data problem is complex. It involves policy but it also involves technology. Domain expertise is required across several IT specialties including storage, back-up, archive, security and eDiscovery to name a few. Most law firms lack the necessary domain expertise. If contacted, law firms will likely advise you to update your record retention schedule or perform an assessment. Both deliverables will be in-actionable.
Do not let IT go at it alone
Get leadership to sponsor this initiative. Archiving, backing-up, or heaven forbid deleting on your own is only going to make the problem worse. Your job is to vet technology that can accommodate the deletion policy.
Do not be scared to delete data
You haven’t needed the data in the last ten years. Heck you don’t even know what the data is so how could you benefit from it. You can’t, so get rid of it. One of the most practical pieces of advice I heard was from an estate planner. They said, “Get your affairs in order, for example clean out the house and leave a paper trail of what you have and where you want it to go. That will be the best gift that you can leave behind.” This is 100 percent true.
Summary
The time to address your company’s data problem is now. Prepare, plan and act. The problem won’t go away – it will only get worse. By then it could be too late.
