In this day and age, virtually every company collects and tracks some sort of data as a standard business practice. Data is incredibly valuable because it can inform strategic business decisions and give companies the edge that they need to grow and expand. It helps large corporations to keep track of employees, monitor trends, and produce evidence of compliance for government investigations or litigation.
But consumers have a different view of corporate data stores. All of the recent news surrounding data retention, coupled with periodic stories about major data breaches, has raised concerns among the American public about how companies retain and store their data. In fact, 79 percent of Americans are concerned about how companies use and store sensitive personal information. With so many people worried about data privacy and data security, it is more important than ever to mitigate the risks caused by corporate data collection by creating a thoughtful data retention schedule.
In this article, I’ll break down the basics of data retention and then talk about why it is important for corporate lawyers—not just the IT department—to play a role in creating a data retention schedule. I’ll also share the key steps to creating stellar data retention schedules.
What is data retention?
Why should corporate lawyers care about data retention?
How can a data retention schedule reduce risks for a company?
Steps to creating a successful data retention schedule
- Collaborate across departments to incorporate multiple perspectives
- Draft a data retention policy and a schedule
- Facilitate training and accountability mechanisms
Special considerations for general counsel
Reduce the risks of data collection by creating a sound data retention schedule
Download the Legal Hold Maturity Guide and learn the pros and cons of each of the legal hold maturity stages.
Data retention is when a company stores data (either electronically or physically) for a specific period of time after it is collected, in accordance with a policy or schedule.
Sounds broad, right? That’s because it is. The specifics of data retention vary greatly from business to business. Each organization has a particular purpose or motivation for collecting and using different types of data. Some companies might find value in data that other companies disregard or immediately destroy. Data retention schedules are complicated by the fact that some types of data must be maintained or destroyed within a certain period of time, while other types of data have no retention requirements at all.
Even though every company has a different approach to handling potentially sensitive data, common data retention practices contemplate at least three types of data:
While we commonly think about data retention as existing purely for digital information, data retention schedules should also include traditional paper records, such as physical files in a doctor’s or lawyer’s office.
As a corporate lawyer, you may be tempted to delegate the creation of data retention schedules to the IT department. After all, data retention is about data, right? Isn’t that IT’s job?
While it’s true that IT can help the legal team navigate and understand dense technological data, data retention schedules must be designed to ensure compliance with specific data retention laws and regulations. Those determinations are up to the legal team, not IT. Furthermore, IT isn’t equipped to truly understand the legal implications of mishandling data or being unprepared in the event of a regulatory inquiry or a litigation matter.
General counsel’s job is to protect a company’s legal interests, and creating data retention policies and schedules is part of that protection. The legal department is also responsible for mitigating legal risks to the corporation from:
Keeping these risks in mind not only helps the legal team to protect the company but also reduces data storage costs and improves efficiency when retrieving records during discovery.
At the end of the day, a thoughtful data retention policy can make general counsel’s life much easier by limiting the amount of corporate data on hand. When the time comes to conduct an internal audit or collect documents for discovery or litigation, a clear data retention schedule makes it easier to sift through and locate important pieces of evidence.
A well-planned data retention schedule can reduce several risks that companies face by preventing both over-retention and under-retention of data.
Over-retention of data can cause a slow and costly discovery process in the event of litigation. Excess and irrelevant information makes it difficult to quickly locate relevant data and contributes to increased data collection and review costs. Excess data and over-retention also create the risk that an opponent will be able to use outdated information against the company.
Retaining too much data increases the risk of litigation and regulatory enforcement merely by the nature and vulnerability of data storage. As a hot-button issue, customers and legislators are starting to come after companies that are perceived to collect excessive amounts of data. In fact, 42 percent of companies believe that data privacy lawsuits are on the rise. By limiting data retention to a few well-thought-out areas, you decrease the likelihood of becoming a target of litigation in the future.
On the other hand, under-retention of data can leave companies without information that would help them achieve their business goals—or even information that they’re legally required to maintain.
The details of data retention schedules vary across industries and jurisdictions, but companies with successful data retention schedules follow a similar approach.
Begin the process of creating a data retention schedule by talking with different experts across the business who have an interest or role to play in data retention. As lawyers, the legal team is conditioned to view data retention according to one lens, but other stakeholders may have valuable perspectives that can contribute to a more effective schedule.
For example, the IT department might be concerned with preventing a cybersecurity attack and have input on how to securely store sensitive data. By contrast, the records department might have input on how to practically organize records that must be accessed regularly. To effectively implement a data retention schedule, general counsel must have a working knowledge of how other departments use data for their own business purposes. Talking with leaders in other departments is a great way to compile that knowledge.
Corporate lawyers must create a comprehensive data retention policy that identifies each type of business data and specifies the appropriate procedures for employees to follow when interacting with that data. This policy should specifically identify the types of data that are collected and stored across different departments in the company. It should also include information on the specific systems used to store data and mention whether any data is particularly sensitive and must be handled with extra care.
An excellent policy will outline how each employee is expected to handle data and the steps that they must take to protect, store, and preserve it. The retention schedule will also include important deadlines and a specific timeline for the storage—and destruction—of each type of data. These deadlines should be conservatively based on the applicable laws, though some companies may opt for a more aggressive data deletion schedule.
Of course, a policy that no one knows about or understands is not going to be effective. Instead of assuming that employees will instantly grasp the importance of adhering to the data retention schedule, be sure to train employees on the risks associated with improper and disorganized data retention.
General counsel must also design accountability mechanisms to ensure that data is retained and deleted in accordance with the data retention policy. These might include certain disciplinary measures or mandatory retraining for employees who violate the policy. At the end of the day, training employees and holding them accountable is just as necessary as creating a data retention policy and schedule in the first place.
As you embark on the journey of creating a data retention policy and schedule, there are a few general things to keep in mind.
A well-planned data retention schedule is a valuable asset to any company. It is an easy way to reduce the many risks associated with over-and under-retention of data while still collecting and storing data that is useful to the business. Having a thoughtful data retention schedule can also save money in the long run by eliminating information that is no longer useful.
Luckily, eDiscovery tools like ZyLAB ONE can help organizations manage data collection, storage, and retention schedules. These systems are a great way for the legal department to track business-critical data in a way that saves time and money. To learn more about ZyLAB’s innovative eDiscovery technology, please get in touch.