By: Robert Gerbrandt on April 11th, 2024
Information Governance: It’s What you Retain that Matters
Retention | Information Governance
It’s funny how corporate leaders get serious about information governance right after their company has been hit with a lawsuit or regulatory action. OK, it’s not funny at all. But that’s usually when many executives decide it's time to implement information governance and in particular, document retention. We’re here to advise you to not put off having a defensible retention program in place long before any legal action occurs.
When a lawsuit is filed, legal hold might require that any and all documents relative to the action be preserved so they can be produced during court proceedings. Failure to implement legal hold might result in lost documents and lead to charges of spoliation of evidence. Add in the various and sometimes competing factors around compliance with jurisdictional data privacy regulations, knowing just what to preserve for a legal hold can be daunting.
Overview of Data Privacy Regulations
There are a number of these regulations to keep in mind: the European Union’s General Data Protection Regulation (GDPR) demands that organizations that control or process data protect confidentiality and deliver personally identifiable information (PII) to a data subject (typically a European Union citizen) upon request. GDPR is being enforced and fines are commonplace. In healthcare, Health Insurance Portability and Accountability Act (HIPAA) regulations require that patient information be protected. Fines are assessed regularly for failure to do so. The Sarbanes-Oxley Act (SOX) mandates record retention for certain periods of time, in some cases permanently. SOX penalties can cost companies and their leaders millions and even put executives in jail. And don’t forget that in the U.S., there are data privacy regulations that vary state-by-state.
Importance of Document Retention and Disposition Schedules
So back to why organizations need to have their document retention and disposition schedules in place long before a legal hold request comes in, and the perils of neglecting that planning. One reason is that it’s hard to get right, especially when most of the information is either on paper or in digital formats.
Over-retain, and you will waste money on storage infrastructure, electrical power, and floorspace – and you might expose yourself needlessly to document discovery that results in regulatory fines or an adverse lawsuit outcome.
Under-retain, and you might save on infrastructure, power, and floor space, but you could just as easily expose your company to penalties and adverse judgements when you are unable to produce documents upon request.
The sweet spot is to retain only the documents that are necessary to protect them from breaches, and to dispose of them as soon as they are no longer needed, per your retention schedule.
Retention in the Cloud
Another consideration when developing and updating your retention schedule is the cost and effort required to actually store all the data you’re keeping around. Building on-site infrastructure often leads to poor retention practices. The costs and upkeep on servers, lots of storage, power, cooling – it all seems like a lot just to hang onto documents that your organization may or may not need. That’s why a cloud-based retention platform is such a good idea. A cloud-based service can provide you with the storage infrastructure you need, on demand. The storage infrastructure can go away when you don’t need it. And you don’t have to face the conundrum of hiring staff members that might only be needed for a short time.
The right cloud service provider should provide more than just another repository; they should also work with your internal teams in establishing and setting up a document taxonomy, a set of hierarchical categories that organize documents according to sensitivity level, retention need, and deletion timeframe. The taxonomy is then automatically applied to the data using metadata tags.
The right cloud service provider should also assist with understanding and implementing the various privacy and retention regulations that apply to your industry, including the latest updates, so you don’t have to worry about staying current on sometimes arcane rules. And the right cloud service provider will enable integration with the rest of your IT environment.
Rather than custom-building the integrations, look for pre-built connectors to popular platforms like Microsoft 365 Purview, Micro Focus Content Manager, Hyland OnBase, ERP systems, and other business-critical applications already in your ecosystem.
Retention for All
Although many larger companies have established sophisticated structures for retention, access, and deletion of documents, many more smaller companies lack the budget and expertise for such initiatives. A scalable, cloud-based retention platform, available on demand, with no extra staffing required, is a great choice for small and mid-sized businesses. But whether your company is large or small, don’t wait until you get stung by a lawsuit or regulatory fine. Get going now with a retention program that’s right for your organization.
About Robert Gerbrandt
Robert is the Global Head of Information Governance at Iron Mountain. He is an accomplished Executive Leader and Management Consultant with broad based experience across industries and geographies. P&L accountability $25-50 Million annual revenues, including sales/new business development. Expanding the consulting capabilities and practices across five global regions. Leading international teams to develop and enhance Iron Mountain Information Governance services and solutions. Proven ability to develop and implement robust governance, risk and compliance practices including policies, processes, and procedure structures for clients in public and private sectors while enhancing their capacity to effectively manage their information assets, including implementation of technologies. Led integrated teams combining onsite, near and offshore resources from the client location, including development, testing and support functions with team sizes in excess of 200 persons. Defined and implemented account management practices that reflect transparent communications, routine expectation management and opportunity identification.