DATA RETENTION POLICY: What is it and why have one?
Think back to the last email or electronic file you used. When you were finished with the file did you just save it and file it away? This laissez faire approach to file management may be tempting, but having a Data Retention Policy in place will benefit your organization as well as your members or clients.
Imagine a scenario where a member/client is involved in litigation and your firm is subpoenaed for records. Do you know which records you have and where they are located? Does IT have to go into backup storage? Do you know if your organization could be investigated for having certain types of information or not retaining what is legally required?
A well-designed and implemented Data Retention Policy will answer these questions and can help:
- Minimize storage costs
- Be an effective tool for risk management
- Streamline projects overall and promote better workflow
- Provide continuity in extreme emergencies or disaster
As it is unrealistic to keep all generated data indefinitely, it is equally unrealistic to delete everything the moment you are finished using it. An effective policy will balance the cost and risk of data retention with the need to preserve records to efficiently service your members or clients. Your organization’s needs are unique as are those of your members/clients. However, there are a few rules-of-thumb that may guide your considerations:
Quantify and qualify all electronically and physically stored data.
- Include more than just emails and project files and consider instant messages, meeting minutes, metadata, text messages, activity logs, even browser histories. Comprehensively define what is covered by the policy and what is not.
- Characterize the legal risk environment in which your organization and its clients/members operate. There may be distinct legal requirements to consider depending on the type of record and state and federal guidelines.
- Implement a consistent policy across your organization but take into consideration legal and client/member requirements.
- If automatic purge programs are setup, remember to halt them as soon as you anticipate the need to retain records for investigation or litigation. Include guidelines for “litigation hold” procedures.
- Communicate and involve all departments, including Human Resources and IT Management.
- Define how long different types of records should be retained and how they should be disposed. Destruction is not always easily defined or achieved; much of the time “delete” may not actually delete. Collaborate with your IT department.
- Include backup procedures and storage, and be familiar with your IT platform including Management software and Cloud storage.
- Consider non-compliance policies.
- Establish a Records Committee to periodically review policy.
- Consider collaborating with an outside expert or attorney.
- Consider plans for disaster such as fire or lost or destroyed backups.
Now is the perfect time to commit to implementing or reviewing, following and/or updating your Data Retention Policy.