Can you defend your decision to delete data?

Can you defend your decision to delete data your organization no longer requires? That’s a critical question that every organization must address at some point.

A 2012 survey conducted by the Compliance, Governance and Oversight Counsel found that data can be placed into one of four “buckets”:

• At any given time, 1% of data must be retained for litigation holds
• 5% of data must be retained because of regulatory obligations
• 25% of data has some level of business value
• The remaining 69% of data has little or no business value

Consequently, more than two-thirds of data can be safely deleted with little or no consequence.

When unnecessary content is not deleted, storage requirements and costs increase over time as a growing proportion of content must be stored and managed. For example, if we assume that the typical user generates five megabytes of content per day, that 69% of this content is not necessary to retain, and that the amount of content generated by users is growing at 25% per year, that means that at the end of seven years in an organization of 5,000 users there will be 534 terabytes of superfluous content.

Moreover, content that is not deleted complicates and lengthens searches for information, such as those required for eDiscovery or regulatory audits. These searches become more difficult and more expensive simply because there is more content – most of it not necessary – that must be searched and for which paralegals and others must be paid as part of the discovery and production process. It is also important to note that most of this content is unstructured and so becomes more difficult to search and analyze – classification of this data in some form would add structure and make the eDiscovery and regulatory compliance process easier to manage.

Finally, the potential value of undeleted data diminishes over time while its potential risk does not, thereby increasing its relative risk. Moreover, undeleted data becomes more risky over time because the context that would help to explain it disappears. For example, a set of emails between senior managers that discusses a decision to terminate an employee for misconduct can easily be taken out of context in later years if those who were involved in the decision process are no longer with the firm to provide context or help in its interpretation.

Many decision makers are reluctant to delete content for two important reasons. First, most organizations have inadequate information governance processes or technologies in place, and so most decision makers simply don’t know what can safely be deleted and what must be retained. Second, some data retention obligations are rather vague, and so many decision makers opt for a more cautious approach and retain more content than is necessary “just in case”.

At a high level, Osterman Research recommends a four-step process for implementing defensible deletion:

1. First, develop consensus among senior managers and all other stakeholders across the enterprise that there is value in deleting unneeded content. This process must include senior line-of-business managers, the CIO, IT management, legal and others that will be impacted by a decision to delete unnecessary information.

2. Second, decision makers need to become aware of how long certain types of content must be retained, as well as what and when content can be safely deleted. This involves establishing retention and deletion policies based on advice from legal counsel, education from regulators, adhering to industry best practices, and creation of specific corporate best practices about appropriate retention and deletion schedules.

3. Third, develop a realistic plan for deleting content – start with one system (e.g., email or SharePoint), one operation within the company, or the oldest data in the organization first. In order for a defensible deletion plan to work, it must be manageable and not overly ambitious if it is to be successful.

4. Finally, implement the appropriate technologies that will aid in the process of deciding what content can be defensibly deleted. These solutions will include archiving systems that can index content appropriately, classification systems that will categorize content properly, eDiscovery tools that will help to determine what is important and what is not, etc.

While not a simple process, defensible deletion will pay enormous dividends, both in elimination of the direct costs associated with storing too much content and in reduced risk to the enterprise.

Leave a Reply