Although more companies are managing electronically stored information (ESI), some are more focused on what to do with information as it is created and stored—and, as a result, neglect to pay attention to older data. In fact, about 95% of the companies I work with struggle with data deletion and destruction. This can be just as critical, if not as critical, to attaining full compliance with governing regulations.
Properly storing information as it is created is one thing, but what happens to older information? The old school of thought was to retain everything, but doing that can put your company at risk, too. Don’t retain enough and you can be at fault as well.
This is why records management solutions offer help to organize fresh data—and what to do with outdated information as well. In creating data destruction policies, your company can be sure that older information cannot be used against it if a litigation matter comes up.
Let’s say a litigation case does pop up, as they do at least every year for most organizations. Having a plan in place to conduct eDiscovery ensures compliance, so it can help preserve your brand and avoid unnecessary costs. One of the first pieces of information your attorney needs after receiving a discovery request is a copy of your ESI policy.
ESI Policies Need Retention and Destruction Measures
A good discovery policy includes a retention policy and a destruction policy. If older data is available, it can be admissible in court. This means that the information cannot only work against you; your company as a whole could be at risk and your practices called into question.
This could create a sideshow—in addition to the case itself—that discredits your organization and puts it at risk. The opposing party can rip apart your ESI policies as evidence of a lack of good-faith preservation efforts, and that can make it harder to win the case. (Not to mention it can be devastating to your brand if it comes out that your company doesn’t follow its own policies!)
Map Your ESI to Identify Where Information Flows
To create principles and a data destruction practice, I typically start by creating an ESI Survey Data Map. This is a general enterprise-wide data schematic that lists the types and locations of data across an organization. Companies should create such a data map as a general practice, and it should be kept up to date.
Forming a Records Retention and Deletion Policy
If you don’t have one already, it’s time to create a records retention and deletion policy. And then, in order to avoid the aforementioned risks, you have to actually implement it. Make sure that your document retention policy includes best practices for electronic formats as well as print documents. (According to a recent study from UC Berkeley, more than 96% of all information in an enterprise is in digital format, and even 70% of all paper documents are copies of electronic documents.)
Delete Documents That the Business Does Not Need
Once your policy is in place, you can create a consensus of documents that should be targeted for deletion. Obviously, it’s easiest and more cost-savvy to have an automated system in place where appropriate. Even if the process is automated, you should keep a log of what was deleted and when, in accordance with your policy.
Evaluate ESI Management
A few questions organizations should ask in evaluating how adequately ESI is being managed include:
- What unknown content resides in our storage systems?
- Is the content appropriate? Is it searchable and secured? Is it sensitive or confidential?
- Can the organization comply with internal and external policies?
- What is the cost and risk of unmanaged content?
- What business records are unmanaged?
- Do we have an archive strategy for information?
- Can content without business value be safely deleted?
- What information needs to be retained and for how long? Are there industry standards?
Review and Update as Needed
As business evolves, so must your policy. New applications are launched, old ones are retired, users relocate, and new storage methods are executed—so it’s a good idea to review your process periodically and refresh it if need be.
Does your ESI policy include regulations on matured information? Why or why not?