Too much data can quickly become burdensome for legal and IT teams alike. While bringing in new storage options might seem like the appropriate solution, it can actually exacerbate the problem by allowing data to grow with minimal management or organization. In addition, companies may find they are storing data that offers no value and could bring higher discovery costs if it is found responsive in a legal matter. For most, it is better to create a repeatable process for deleting unnecessary data. But how can you ensure that process is defensible?
Identifying Data for Deletion
Defensible disposal of data and electronically-stored information (ESI) involves accounting for a variety of factors such as legal holds, regulations, and business needs in order to target data which is no longer useful.
Knowing what to delete requires a thorough understanding of your data and having an information governance strategy in place that can act as a useful guide. This may include a specific policy regarding data retention that stipulates which data can be archived and when.
Defensibility also depends on when data is deleted. For example, if an organization has a retention policy in place that lays out a timeline for disposing certain types of data, deleting that ESI should be defensible unless it happens after a legal hold has been received or litigation is reasonably anticipated. Similarly, once an ongoing a case has concluded and the obligation to preserve is lifted, its data can be defensibly deleted.
Sharing Responsibility
Once you have an information governance policy and its administrators in place, ensure they are integrated with the technology required for data management. Ideally, this will include a centralized data store including an inventory of IT systems, records, and legal policies. Keeping all of this information together can enable robust audit trails, which in turn assist with defending disposition.
Even with technology providing a more automated process, decommissioning and disposing of data requires active management by stakeholders across the IT, Records, and Legal departments. Without regular updates and vigilance, ESI can be forgotten and retained unnecessarily. An inconsistent, ad hoc process is not defensible.
Collaboration between stakeholder groups ensures that everyone in an organization is using the same method for identifying data to be deleted. A clear understanding of who is responsible for which ESI leads to better visibility and increased efficiencies from the IT department when it is time to actually dispose of data.
Executing a defensible strategy for deleting data will certainly require participation from internal resources. However, this is not always enough and many organizations find it useful to work with an experienced third party to drive organization and mitigate between different stakeholders. A well-planned approach from both IT and records management can ensure that unnecessary data is deleted defensibly, without risk of sanctions.