Enterprise records management strategy guide for GRC professionals
A comprehensive collection of articles, videos and more, hand-picked by our editors
Data has become a major business asset for companies and, like any other business asset, the better managed data is, the more benefit it provides to the organization. This makes a properly maintained records retention schedule vital to business success -- not only as a function of reducing risk, but also toward boosting the bottom line.
Information management and records retention schedules are only going to get more important as the amount of data companies generate continues to grow. Alan Dayley, a research director at Gartner Inc., estimates that 60% of data kept by companies is "trivial junk" that has no business value but still carries huge risk when it is just lying around.
"If you understand and classify your data and get rid of the stuff that's junk or that's trivial and care for the rest of it, it lowers your risk," Dayley said. "When you have retention schedules, it's good practice just from a business standpoint."
A company's records retention schedule often hinges on several factors: regulatory compliance rules, data that must be retained for legal purposes, information that provides business value -- all play a role in what a company keeps, what it can delete and when. By paying close attention to these factors, companies can get rid of data they no longer need and reduce storage costs and risk in the process.
When you have retention schedules, it's good practice just from a business standpoint.
"[Retention schedules] certainly mitigate risk from a data management and information governance perspective because, at the end of the day, retention schedules are about two things: avoiding the cost of keeping information and making it quick and efficient to find it when a legal or regulatory request comes up," said Barry Murphy, co-founder and principal analyst at the eDJ Group consulting firm.
Determining what data to keep and what to get rid of is not always easy, however. More data is being stored on mobile devices and in the cloud, for example. New and evolving regulatory and legal requirements often complicate information management requirements as well, making it seem like a "keep everything" approach is the best way to protect companies from a legal perspective.
"Information is growing at meteoric rates," said Randolph Kahn, founder of Kahn Consulting Inc. and co-CEO of the information management firm Delve. "For most organizations, their data footprint is growing between 20% to 50% a year."
Without a proper record retention schedule, data continues to build up and companies end up with huge data storage "landfills" where the information just sits, paving the way for risk management concerns, Murphy said.
"By setting up retention schedules, you are also setting up some kind of taxonomy of information and understand what kind of information assets you have, where employees are creating intellectual property," Murphy said.
Beware the cloud, mobility factor
Mobility and bring your own device (BYOD) have had a huge influence on retention schedule maintenance and associated data risk management. As more employees use personal mobile devices in the workplace, they might start accessing files and shared applications that are not monitored or secured.
Furthering this concern, Gartner predicts that by 2017, 50% of a company's business data will reside outside the walls of the data center, up from about 10% today.
"That's where a lot of this data is going: on these devices, in the cloud, the files they can share," Dayley said. "That's really going to require organizations to have a higher level of diligence to understand where things are and where [data] is going."
Kahn noted that while BYOD can boost the bottom line, as well as employee happiness and business efficiency, it also can be incredibly challenging for regulatory oversight and for records and information management.
The cloud is no picnic from a data management perspective, either. Some companies use the cloud as a sort of data dumping ground, Dayley said, and still need to make sure the cloud vendors are adhering to the company's specific data retention and deletion processes.
Some -- but definitely not all -- cloud providers are starting to pay attention and are offering tools that include information security, records management litigation response and data privacy management.
"All clouds are not created equal," Kahn said. "Increasingly, if you are not going to a cloud vendor that has that kind of functionality, putting your stuff in the cloud becomes way more complex as it relates to retention because you now have another place to manage [data] if they are not doing it for you."
The legal factor
Retention schedules are not only a good foundation for companies to better manage and access their information, but they can also help protect against huge litigation costs. If companies keep too much data around, anything that is potentially relevant to a legal case could exist anywhere in the organization, and the cost of e-discovery explodes, Murphy said.
A well-maintained retention schedule serves as a foundation for meeting requirements under the Federal Rules of Civil Procedure, which states that companies must have the ability to put a legal hold on any information that is potentially relevant to litigation. Under the "safe harbor policy" in those same federal rules, however, companies are not on the hook for legal discovery of information deleted as part of standard operating procedures.
This "defensible deletion" of data is very beneficial from a legal standpoint, Murphy said.
More on information management
The data governance benefits of e-discovery tools and processes
Building information management strategy from the ground up
"That is defensible because you can now show cause and effect," Murphy said. "You can now say, 'This is our policy: Policy says to delete if this happens,' and then you can defend it and you can audit your actions."
A solid records retention policy will increasingly be good business as the amount of data the typical company generates expands in coming years. Gartner predicts that by 2016, 50% of all organizations will have a documented "deletion policy" -- compared to only 10% today.
By having these policies in place, companies will not only reduce storage costs but can also boost other business areas, Dayley said.
"If you know what data you have, you know how long you're keeping it, you know when to dispose of it, you have a better grasp of what it is as far as employees having access to it or even outside parties having access to it," Dayley said. "You are able to control that better [and] you can protect your intellectual property."