By: Nate Latessa, VP of Corporate Services
The feeling of “I might need this later” leads some people to retain all their data forever. Storage is relatively cheap, so there’s little personal incentive to get rid of anything. The thought that they might be able to save a little time by re-using a document sometime in the future or that they might need to reference an old email drives people to hoard data. The intent is not malicious, but the consequences can have a massive negative impact on their business. What they’re really doing is creating an eDiscovery, compliance and cybersecurity nightmare – all rolled up in one. eDiscovery is more expensive and time consuming; potential compliance violations and sanctions from holding onto data beyond it’s intended use; and more data makes it harder for security professionals to protect the data that matters most.
Identify the real problem
One of the first questions I ask a corporate prospect is “do you have a document retention policy?”. I can’t tell you the last time someone said “no”. I always follow that up with “how do you enforce it?”. Most of the time this question gets a laugh or a concerned look followed by an explanation of why they don’t enforce it completely or at all.
I think we can all agree that it’s important to have a document retention policy, but how important is it to have a document retention policy that’s not enforced or audited? I don’t think anyone will argue that it’s not important, but it must be part of a complete solution from creation to deletion. Creating an effective plan starts with understanding what data you have, where it’s located, who has access to it, who owns the data and how does data move throughout the organization. Once you understand and document those things, you’ll be able to create a much more effective document retention plan.
Don’t stop now!
Now that you have your document retention plan created, it’s time to wrap processes, services and technology around it in order to manage and enforce your plan. This can be a massive, corporate-wide undertaking and if you try to tackle every data source and every department at once, your project will fail miserably. These things tend to get off track when people realize the size and scope of the data they need to manage and get too overwhelmed.
The best thing you can do is start small. Pick one location, department, team or even data source in those groups and implement the technology and processes to manage data from creation to deletion. Look for quick wins that build up to larger victories. You’ll learn a lot along the way and may have to change tools and tactics as you move through the process.
Effectively managing and deleting data with no business, legal or regulatory value will reduce eDiscovery costs, limit exposure to privacy and non-compliance events and reduce your cybersecurity attack surface.