I have spent nearly all my career helping companies figure out how to manage information. Over the years, I have found when looking closely enough at any organization that managing data is the corporate equivalent of making sausage. Maybe that gives sausage making a bad name, but it amounts to more stuff from various sources, the identity of which is suspect, and it is all mixed together.
In the information space, having information is very different than managing it, and most companies are not managing information effectively in large part because the rules they use are no longer ready for prime time. It is like a dude in a leisure suit ready for disco dancing is jettisoned into a mosh pit in 2018. Managing information in 2018 with retention rules constructed decades ago no longer works.
Not long ago, the entire information universe was in paper form, relatively small, and managed exclusively by people. Rules directing employees what to keep, where to store it (on-site or off-site in banker’s boxes), and for how long was an easy task. Each employee maybe filled up a box or two a year and applied a simple rule to each box.
Today, the first problem with managing information is knowing all that exists, which is difficult because there are ever-growing piles of structured and unstructured data in endless file formats in many storage locations, including the Cloud. Getting a handle on what information exists for the average large company today is all but impossible with literally billions of files. “Bigness” has become a real issue and will continue to confound as the pile continues to grow unfettered.
Further complicating matters is the increasing number of competing interests in the way information should be appropriately used and properly retained. For example, Big Data professionals want to keep as much information for long periods of time because they don’t know what information will prove useful when using analytics tools to answer business questions. On the other hand, the EU’s General Data Privacy Regulation (GDPR), which takes effect in May 2018, “requires ensuring that the period for which the personal data are stored is limited to a strict minimum.” GDPR doesn’t specifically dictate exact periods, but demands a recalibrating of retention to push the period shorter where retention of such data is “not essential for the purposes for which it was collected.” If an organization has not built a process to rework retention through a GDPR lens, they must hustle because that train is right around the bend.
Confounding matters further is the reality that over the past two decades, business has come to be conducted in completely new and different ways, which makes information management even tougher. We regularly enter contracts using e-mail, modify them with a text message, and breach them in social media. Business is now casual and immediate. Using new communications and social technologies augments business in significant ways, which is directly related to more laws and regulations dictating how organizations manage information and the consequences for failing to do it right. For most of our clients, there may be thousands of laws and regulations dictating how information is managed to properly address storage, retention, destruction, privacy, and security. It is like the perfect information-mismanagement storm—more information in more places and formats, perhaps outside the control of the company, with greater risk of mismanagement and more laws dictating how to manage it. The answer to managing information in 2018 and beyond can’t be the policy equivalent of a guy in a lime green polyester suit from the 70s as its tired and outclassed for today’s problem. So, here are a few Rules to help guide your organization into 2020.
12 Rules to Help Fix Records Retention and Wrangle the Information Piles
Rule 1: Simpler Retention Built for Technology
In the old days of retention, there likely were 500–1,000 different retention categories for a typical company. That is a nonstarter today, given the speed of business and volume of data that must be managed on the fly against a growing number of laws and company policies. If employees had to apply that large a number of rules, they would develop a work-around or simply find a catch-all rule in which to put everything. When simplifying companies’ retention schedules today, we expect to cut the number of rules by 80 percent and build the rules at a higher level. Such simplification promotes retention because fewer, more intuitive rules can be more readily applied by employees and technology alike.
Rule 2: Different Storage Locations for Records and Nonrecords
Designate different environments as either record or nonrecord (those having no long-term business or legal value). What that does is ensure that if an environment is designated as nonrecord, the entirety of its contents goes away permanently after a specified period of time. The period of retention should be long enough to allow employees to do their jobs so they don’t move information elsewhere, creating a greater discovery headache in the event of litigation. Thereafter, all predictable nonrecords should be purged in the ordinary course of business.
Rule 3: Take Employees Out of the Center of the Universe
My firm conducted a survey on information management a few years back and we learned some interesting insights about employees’ ability to classify information. In short, employees are bad at it. Furthermore, they not only don’t like to do it, but they also won’t do it. And that was when the pile was smaller and the problem way more manageable. Take employees out of the equation and start to find ways for technology or one person in a business unit to apply the rules while keeping the average employee free from doing any classifying.
Rule 4: Manage from the Top, Not the Bottom
When information is classified, each item is reviewed against the retention rules. That is “bottom up” classification in that each individual data file must be classified. If the exercise is to apply the right rule, and employees are bad at classification, then perhaps there is another way to classify. That way is top down, or taking a macro view of information.
This can be done by applying one retention rule to any environment or a chunk of business content within a job function; for example, accounts receivable may have one or two rules instead of 20. All information with a business function may fit in a rule, making its application easier and more predictably correct.
Similarly, applying one retention rule to an entire environment, if possible, ensures all the information is retained the same length of time. It may not work for all environments but should be considered. If an individual document or communication must continue to be retained for some reason, the retention rules can shift the burden to the employee in that rare situation to move the one file out of the environment for continued retention.
Rule 5: Seek Reasonableness, Not Perfection
Many organizations get caught up in trying to make the records retention process “perfect.” They seek to make the inventory process cover all records in every business unit and do exhaustive federal, state, and local legal research in every jurisdiction in which the company has presence or may do business, etc. In a perfect world, all of that is good. However, the records retention schedule development and update process can be very expensive and time consuming. A better approach is seeking to be good enough given an organization’s size and nature of business.
Rule 6: Eliminate Complicated Retention Triggers
Retention works by creating a rule that is applied to information when it is created or received that is often “triggered” upon the happening of a future event, like the end of an investigation, the termination of a contract, or the end of employment, etc. The event trigger begins the running of the retention clock so that the records are kept for the right period.
Companies should aim to remove as many event triggers as possible and replace them with straight retention periods. For example, assume a company wanted to eliminate event triggers from investigations (which might be the length of the investigation plus five years), and it knows from past experience that investigations typically conclude within two years of commencement but never longer than three years. Instead of keeping the retention rule as event-based, which makes it difficult for people and technology to manage, the company could make the rule a straight eight years (three for the longest investigation plus five years after). This may not be perfect and may not work in all cases, but companies should strive to do it as often as possible.
Rule 7: Go International by Building Exceptions
A U.S. company that wants to ensure that retention is addressed across the globe will find it a complex and expensive task, which could include an exhaustive records inventory in every facility and legal research in every jurisdiction. Although feasible, it is unnecessarily expensive and time-consuming, and so we opt for building an exception process, which takes a U.S. schedule and pushes it across the globe and documents the exceptions. That way a company ends up with a global schedule that is good enough and gets it done “faster, better, and cheaper.”
Rule 8: Rules Must Be Absolute—Neither Maximum nor Minimum
Companies often express retention rules in terms of the minimum amount of time or the maximum amount of time a record should be retained. Neither works because it creates a situation where every employee interprets what the rule should be, resulting in no predictability or consistency.
Rule 9: Resist Permanent Retention Where Possible
When companies do not know what appropriate retention is for a class of records, they sometimes state retention periods as being “permanent.” Such a designation adds to the information footprint and may not be necessary. There are very few records that must be retained permanently, and an effort should be made to resist the temptation unless the law requires it.
Rule 10: Include Operational Value in the Schedule
Creating retention rules is a little science and a little art. Final periods of retention should incorporate legal requirements, legal considerations (like statutes of limitation), and business needs. If a company is considering its business needs for continued access to a type of record, such input should be documented in the records retention schedule.
Rules 11: One Rule with Few Exceptions
Most employees think their information is unique; however, company retention policy should resist the pressure to make special rules for different business units unless absolutely necessary, or the schedule will get out of control and be difficult to manage.
Rule 12: Just Do It
Records retention is neither sexy nor fun. Given that a prudently created schedule is an organization’s license to clean house, make sure it is reasonable, documented, supported, and utilized. If retention is broken, just fix it because in its current state, it’s probably more a liability than anything else.
In recent years, there has been a push to keep everything forever due to a fallacious belief that storage is cheap. Although the cost of storage per terabyte has been declining a little, that is entirely dwarfed by the growth in information volumes. The real cost is going up. Even if that were not the case, information-security and privacy risks are greatly reduced by keeping less information. In addition, access and retrievability is enhanced by having a smaller information footprint, and following records retention rules is the only legally defensible way to clean house and not worry. This increasingly means fixing a broken records retention process. For most organizations, records retention is not top of mind, but business efficiencies, cost savings, risk mitigation, and better compliance are all driven by better information management, and now is the time to take control. Tomorrow the pile will be bigger and a problem tougher to tackle.