In this special guest feature, Bill Tolson, VP of Global Compliance & eDiscovery at Archive360, discusses the big question surrounding Big Data: when (and how) can information be legally deleted? What’s needed is the right combination of technology and policy. Bill has long been an advocate for strategic data deletion, and has authored numerous books and articles on subjects around it.
The practice of ‘hoarding’ has long been in the zeitgeist, thanks to everything from hit TV shows to home renovation binges. But it’s actually much worse at the office. Many organizations routinely hoard data—terabytes and petabytes of unmanaged and unindexed information clutter clogging corporate data centers and cloud repositories. In sum, it just sits there.
There’s a (bad) reason for this. Most companies don’t actively manage a lot of electronically stored data, on the assumption that if a file is not a ‘record’ subject to regulatory requirements, each employee can choose to store, manage or delete it. Meanwhile, business users receive 50 to 200 MB of data every day, and they don’t have the time to read, comprehend, categorize and file all of it. So, they don’t choose anything—and it just sits there.
This is why big companies spend millions tracking which files are expired, not required for business, not involved in litigation, or are legally required to be removed. For example, CCPA and GDPR privacy regulations require organizations to dispose of a data subject’s collected personal information when requested (right to be forgotten), or if the organization no longer needs the data for the original reason it was collected.
This is defensible disposition: the deletion of data in a legally defensible manner if there is no regulatory or legal reason to keep it. The term ‘legally defensible’ means documenting the policy, process and actions when a defensible disposition activity is executed.
There are other problems with the ‘keep everything forever’ corporate mentality. The first is finance: The cost of purchasing more storage resources, hiring employees to manage it, and leasing the space and utilities to house and run it adds up quickly. Other risks include regulatory non-compliance and legal risk during eDiscovery.
So here’s the big question: When (and how) can information be legally deleted? What’s needed is the right combination of technology and policy.
It’s actually legal to delete data anytime, as long as it’s not under regulatory retention requirements or involved in current or anticipated litigation. Data not meeting these two provisions can be defensibly disposed, unless the organization decides it offers business value.
Over the years, I’ve worked with many companies that, because they ignored ongoing data buildup, were forced to cull massive volumes to free up storage resources while ensuring they weren’t disposing of regulated or litigation-related records. Of course, even mass data deletion can be a costly and risky if it’s not handled correctly.
The best technology does much of the work for you. It automatically applies retention/disposition policies on all files under management—as files reach the end of their retention period, notices can be sent to records managers giving them the ability to double-check and approve file deletion. Additionally, expired files can be automatically deleted—again, as long as they’re not under a legal hold.
At the same time, some basic questions need to be asked before launching a defensible disposition program. These include:
- Do you have an established information policy that includes managing all ESI in the organization?
- Does the data in question serve a specific business need?
- Does the data have any regulatory retention requirements?
- Is any of the data in question subject to an anticipated or current legal hold?
- Has your Chief Regulatory Officer, Chief Records Officer, and/or General Counsel approved your defensible disposition plan?
- Does your organization have a published retention/disposition policy that supports your defensible disposition activities?
- Can your information management system produce an accurate report on the data deletion for future chain of custody and regulatory reporting?
Finally, it’s imperative to keep the process going, i.e., include the defensible disposition process in all aspects of the information management program. This will ensure regulatory compliance, legal defensibility, and a reduction in overall data management costs.
Caveat: Always get a written opinion from your corporate or outside counsel on the defensibility of your defensible disposition process. But remember, there’s always a lot of data in house that can be gone and will not be missed.
Sign up for the free insideBIGDATA newsletter.
Join us on Twitter: @InsideBigData1 – https://twitter.com/InsideBigData1
Speak Your Mind