First, take a deep breath and remember that the top court in the US once went on record saying that it’s ok to delete your data, as long as you do it correctly:
‘Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct employees to comply with a valid document retention policy under ordinary circumstances.
Arthur Andersen v. United States, 544 U.S. 696, 704 (2005)
If the qualifiers in that statement still make you nervous, then you are experiencing the real barrier to most defensible deletion projects: Fear.
Fear will manifest differently depending on the individual person and his or her role within the company. The General Counsel’s office will be afraid of deleting something on legal hold, the business group will be afraid of deleting something that may have operational value, and data scientists will be categorically afraid of deleting any data that can be used to feed their hungry algorithms. Even if you get advanced buy-in, document everything, classify everything perfectly, and queue up the data for final deletion approval, you still run the risk of someone throwing in the towel at the last minute because of vaguely rooted “what ifs,” which usually stem from the implicit belief that the more data, the better.
In other words, beyond all the normal due diligence needed to ensure the destruction of data is defensible, you still need to solve the culture problem of fear and data hoarding.
What is Defensible Deletion?
Defensible deletion must account for two different manifestations of the law: Regulation and Litigation.
Government regulation often dictates how long an organization needs to maintain certain types of documentation. Diligently researching all the relevant regulations that apply to your business is an essential first step. Ideally, you will have citations of those regulations in a retention schedule document, which lists the types of information you create/store, how long you need to keep them (i.e., the retention period), and the reason why they need to be kept (i.e., the citation). Regulations do change over time, but they change slowly and usually with warning, as long as you are monitoring for updates. As a result, your regulatory obligations tend to be stable, once you’ve put in the front-end work of establishing a comprehensive retention schedule.
Retention schedules can be hard to create, harder to maintain, and even harder to enforce, but they are essential. This article isn’t about making one; it’s about how to make sure the hard work of making one doesn’t go to waste. Great resources do exist on creating a schedule, such as this PDF from the University of Edinburgh and these Top Ten Tips for Creating a Retention Schedule.
Unfortunately, regulations aren’t the only mandate you must consider. Whenever your legal counsel thinks there may be a litigation on the horizon (within reason), your company has a legal duty to preserve all documents that might be relevant to the litigation, retention schedule be damned. You must suspend normal deletions, even if they directly conflict with some regulations (think GDPR). If you do delete data that ought to have been preserved, consequences can get bad very quickly.
Know Your Audience
The best way to preempt any challenges to starting a defensible deletion project is to understand who else in the organization will be impacted and what their objections may be.
Some questions to consider:
- Who are the most important stakeholders?
- What might predict their attitude towards defensible deletion?
- Who will be the biggest obstacles and what will be their specific opposition?
Once you’ve identified the stakeholders and the source of their reluctance, think about the messaging that will be most effective to secure their buy-in. Will they respond well to risk reduction arguments, such as:
- Every document deleted is one that can’t be exposed in a security breach
- Every document deleted is one that can’t hurt us during litigation or investigation
Alternatively, will they respond better to cost reduction and value creation arguments, such as:
- Every document deleted will save X amount of IT dollars
- X% of data volume reduction will save X amount of time searching for the right document
With a better understanding of stakeholder concerns, devise a list of goals at the outset so that over the course of the project, you can slowly collect a portfolio of ‘proof’ that their concerns have been addressed.
You might have noticed a few key metrics already mentioned. They are essential building blocks not only in justifying a budget for a deletion project, but also in helping people move away from an emotional objection to a logical justification. Think about anything you could put a number to and try to find a way to consistently document it. Don’t be afraid to look externally for important metrics too.
In addition to focusing on metrics at the outset of a project, consider the value in moving from phase to phase. In other words, you will likely start out small (see below), but if you prove ROI on a small scale using real metrics, you will have more ammunition to obtain buy-in and sign-off for a larger phase. Some examples of metrics to track include:
1. Cost per GB for IT – Try to figure out how much IT spends to maintain a GB of data for each target application. Remember, this cost includes not only the underlying hardware and software licenses, but also the personnel hours to maintain those systems.
2. Cost per Record Lost or Breached – Many industry and research groups track cost metrics around data breaches, with one useful data point being the cost per record. A metric ascribing a dollar value to the risk of data loss is essential for making a cost avoidance argument for deleting records that no longer need to be maintained.
3. Time Spent Searching – Try to figure out how much time is spent by knowledge workers (or just normal workers) finding information. For example, if you can obtain a ballpark number of hours spent searching for documents on a weekly basis, you will have a reference point for demonstrating improvement once a solution is implemented. Moreover, tying the hours saved to the average worker’s hourly rates will demonstrate specific cost savings.
4. Cost per GB in eDiscovery – This metric is similar to Cost per Record in the context of a data breach, but is easier to define for your business as your legal department is more likely to have relevant historical cost information. If Legal does not have this data, it will take a lot of industry resources to try and nail a number down.
5. Cost of Regulatory Action – For each regulation that applies to your company, try to calculate the cost of non-compliance, including fines, sanctions, associated legal fees, and loss of customer confidence.
Sometimes a push for defensible deletion is met with the belief that the company is already compliant with its retention goals and there is nothing that needs to be cleaned up. One method for countering this potential misapprehension is to have a vendor complete an ‘assessment’ project for free or low cost. These assessments typically survey a limited set of data, usually with a technology solution that can conduct random sampling. If this limited assessment finds a number of non-compliant records, or potentially problematic ones, it can then calculate the probable number of total documents within your company that are likely to be non-compliant. You can then calculate the cost of that risk using the above metrics.
We Can Help
Rational Governance provides robust file analysis capabilities backed by artificial intelligence and granular security access controls. Built-in actions enforce legal holds in concert with retention policies and deletion commands, so all stakeholders can have their requirements expressed and harmonized in a single, low-burden platform. Reach out to our solutions team today to learn more.