5 top data management tips for legal hold and document retention
Like fixer uppers, enterprise data stores need renovation work too. With the growing surge of risk and concern around new privacy laws, legal, compliance and information governance teams are realizing they may need to remodel their legal holds and data retention programs.
As with many old homes, records management has historically been underprioritized and underbudgeted. While data remediation is a well-known topic of importance in information governance and e-discovery—primarily to reduce document review costs and manage downstream information security risk—funding and priorities leave these types of initiatives on the low end. This is why many enterprises today continue to operate under outdated records retention policies, which, more often than not, are unaudited and unenforced.
As a result, many organizations save everything. But new, heightened awareness about data privacy and the corresponding corporate risks is changing this dynamic and giving records managers an ally with other stakeholders and an opportunity to move their projects forward.
Since the GDPR came into force last year, and new data privacy laws followed in its wake (e.g. The California Consumer Privacy Act and Brazil’s General Data Protection Law), our team has seen an increase in inquiries for projects relating to reducing data privacy risk—such as records retention schedule auditing, maximizing legal process efficiency and legal hold refreshes and overhauls.
GDPR is the first globally-relevant law that includes obligations for businesses to delete records containing personal data as soon as they are no longer needed for their intended purpose. If personal data is retained for longer than necessary, or if an enterprise fails to fully dispose of an individual’s personal records following a data subject request (such as under the right to be forgotten), the enterprise could be in violation of GDPR, and thus exposed to potential penalties and reputational fallout.
One recent client that approached us on this issue was concerned about GDPR and its implications on their fragmented legal hold program. The organization had more than 1,000 legal holds in place, many of which were out-of-date, broadly scoped and had not been refreshed throughout the litigation lifecycle. Thus, a large portion of the legal hold repository was no longer relevant.
Through the remediation work our team conducted on that engagement, we followed some important best practices that can support a successful data retention renovation. These include:
- Take a general contractor approach
Disparate groups working in siloes, without a unified view of the project, will struggle to maintain efficiency and fully execute.
For example, when a business recognizes that it is over preserving its data, and can no longer afford to do so due to data privacy risk, IT may be given orders to start deleting records. But in-house counsel, which tends to be highly conservative with regards to data disposal, will often interject and put a stop to the activity. This leaves many organizations at an impasse. But if legal counsel can work with IT, records and business units to develop a team of stakeholders, all led by a singular strategy and action plan, the project will be set up for success from the start.
- Take inventory
One of the most important first steps in a retention overhaul is to identify and understand the full scope of data being stored, including which systems generate and store records across the enterprise.
The client mentioned earlier (the one with more than 1,000 legal holds) had differing inventories of what was being preserved, and legal holds were tracked in multiple systems. As our team began reviewing everything, we found that some of the holds included only three custodians, others included hundreds, and in some cases, entire systems were on hold.
By working with counsel to go through the population, case by case, and understand the unique details of each hold, we were able to create a map of the entire landscape. With a deep understanding of the dataset and the regulatory overlay, counsel was in a much stronger position to make decisions about disposal. More, a master inventory enabled them to manage the changing scope of obligations and holds over time.
- Pay attention to the finer details
A home remodel takes more than a floorplan—details like how many electrical outlets are needed and what color grout will match the tile—are also important. It’s the same with a data minimization initiative.
With the data map as a baseline, teams must begin looking at the data more closely to determine what can be defensibly disposed, and appropriate retention periods for data that must stay on hold. This can include releasing holds that applied to cases that are now closed; or looking at holds of entire systems to rescope them so they cover only the relevant date ranges and custodians within that system.
Keep in mind this analysis should include the organization’s backup environments as well. Disposing of data in only the online systems when a copy is also managed in other environments increases the uniqueness of data, which can have a reverse effect on e-discovery obligations.
- Define your plan and stick to it
Once data has been identified for disposal, and everything else has been consolidated into a master application, teams can begin putting standard operating procedures in place to avoid over preservation in the future. Policies and guidance for how legal holds should be scoped, and reasonable retention schedules for all other data, will help keep everyone on the right track over the long-term.
In addition, special thought should be given to the environments where the data is managed—many applications are retention and preservation aware, and can help with executing the on-going disposal process.
- Embrace change
It can be hard to reset mindsets about risk and how to mitigate it. Putting policies and guidelines in place is crucial, but ensuring everyone is on board can require some change management. We often ask our clients to look at the issue through the lens of more data = more risk, and then help them determine how they need and want to balance those scales. Looking at industry standards and the decision tree other companies typically follow can also help determine a risk tolerance level to which all stakeholders can agree.
With an updated legal hold policy and retention plan, organizations strengthen their position from both a legal and privacy risk perspective. They will be able to respond to data subject requests and more easily delete regulated personal information from systems once it is no longer needed. And, if regulators or courts request certain information that has been deleted, counsel will be able to defend its disposal by showing it was done in accordance with the established, documented retention schedule.
Just like on the home improvement shows, no matter how messy the house is at the start, the right combination of planning, strategy and elbow grease can get enterprises to an end result they can live with and stand behind.