Retention polices are the core of a strong Information Governance strategy. They are enacted for a variety of reasons, from complying with government regulations to creating a proactive and defensible litigation response plan. Below are five steps to think about if you are tasked with developing a corporate retention policy:
- Create a data inventory.
It may sound obvious, but you need to know what data is in your organization and where it is located before it can be secured. To help gain this knowledge, answer the following questions:
- What are the potential storage locations (email or file servers, laptops/workstations, file sharing software such as SharePoint, Notes, cloud-based storage, etc.)?
- Who owns the data?
- How old is the data?
- How is the data accessed?
- Understand differing retention requirements and prioritize enforcement.
What locations should be managed first? Should some files be retained infinitely? Some types of records, such as personnel and payroll files, tax records, workers’ comp claims, etc., are subject to various Federal, state, and local government preservation requirements, which may differ from the retention criteria for email or other types of data. In addition, you should identify data that may potentially be relevant to pending arbitration and create a litigation hold procedure to ensure its preservation.
- Clean up data stores while limiting data access.
Non-essential, redundant, or outdated (ROT) records need to be removed from the system. In addition, limit access of data to relevant personnel only – secure who is allowed to write, or edit data as well as who has read access.
- Create the retention policy.
Create a team with key stake holders (Legal, IT, C-Suite, etc.) to craft a policy that is both usable and compliant but does not get in the way of day to day tasks. The goal is to retain documents that are either necessary for business or are required by law. The idea is to create perpetual, automated policies for systematic, uninterrupted enforcement and, most importantly, defensible deletion. You may (or may not) wish to allow users to tag certain records (such as email) for non-delete.
- Ensure that policies and their enforcement were successful.
Provide comprehensive employee training and rigorous enforcement so that policies are understood and the consequences of non-compliance are known. To assist with this step, be sure to schedule periodic policy review and assessment.
In the end, the development and implementation of a proactive document retention program is critical to every organization. By following each of these five steps, organizations can feel at ease knowing that its information is organized and secure.