The over retention of data poses numerous risks and added costs, especially around privacy, security, and GDPR compliance. But removing the blockers for data disposal and implementing a robust records management and information governance program is no easy feat. In-house counsel and records management teams of companies across every industry are struggling to remove barriers around legal holds and records management (including getting the right people to take ownership of data remediation and disposal), build business cases for disposal, and manage data proactively.
E-discovery business Lighthouse gathered 11 in-house counsel from a wide spectrum of industries for The Lawyer General Counsel Summit 2021, to discuss defensible disposal of data. The roundtable was chaired by Lighthouse’s managing director for sales EMEA Michael Brown and vice president of global advisory services Jamie Brown.
The headline conversation points were around the retention of data: what risk does it pose around privacy, security, litigation and added cost, removing blockers to data disposal, achieving business alignment and how to approach and execute disposal of data.
As an electronic discovery provider, Lighthouse helps businesses transition to the cloud, particularly Microsoft M365 software.
In doing so, Lighthouse helps gather various stakeholders, including legal and compliance, to focus on the capabilities of technology around information governance and compliance. Defensible disposal has become a hot topic during these discussions because of the significant risks of over-retention.
Data disposition is not a new topic, but companies are prioritising efforts to address over-retention due to the GDPR requirements for deletion and the transition to the cloud. Both present an opportunity to renew focus on the data management life cycle, including consideration of how data is stored, protected, retained and deleted.
Despite benefits to the business, IT transformation presents some risk to legal and compliance teams that need to be addressed as part of the planning, and legal are interested in participating in these discussions.
There are also modern, collaborative data sources that make things more complex, such as attachments and persistent chat messaging such as Teams. These sources must be accounted for in terms of retention, preservation and collection – and the good news is that some of this can occur using tools built into the cloud platform.
Moving on-premises data onto the cloud is not something that is done overnight – there is always a hybrid state.
Legacy data challenges
A GC who also served as data protection officer (DPO) in one financial services company stated that the topic was of great interest to her given that she is responsible for e-disclosure and privacy. In her roles, she witnessed the conflict that arises between the need to delete data pursuant to privacy law and the need to preserve data that is relevant to litigation or investigation matters. She has also witnessed challenges with respect to the deletion of legacy data.
“While you can make decisions around go-forward systems and building and deletion capability, anyone who has worked in a bank will know these are not so straightforward and systems may not be built with these capabilities in mind,” the lawyer said.
When the business is the product of several mergers and acquisitions, it is not as straightforward as just pressing a big red button and deleting data. The panel shared their concerns about it being a complicated and expensive programme, lasting many years.
A GC who also served as DPO remarked that, as an older business, two years after GDPR they were still working on retention because of legacy systems.
“I find the challenge of defensible deletion very difficult,” she said, disclosing that it has been overwhelming. “We have numerous contracts that include various retention obligations, as well as legal obligations to retain data. It’s putting everything together and getting business buy-in to get rid of data when there are so many moving parts.”
Many people embark on disposal efforts thinking it is a “one and done” project. Some are overly eager, believing it is a simpler task than it really is. Then there are others, who know it is complicated and do not want anything to do with it. Best practices dictate that clients should bring various stakeholders together to understand the risk, the plan and the scope.
A GC at a bank raised her interest on the litigation side, in terms of the pros and cons of data deletion. If litigation arises later that involves legacy data, there are advantages and disadvantages to having the data available to either support the business’s defence or undermine it, depending on what the data says.
For another GC at a large multi-national publisher, the most daunting prospect was approaching data disposal through a global lens, including ensuring compliance with numerous laws for the retention and disposal of data.
Key drivers and blockers
Participants discussed the key drivers with the group, which have changed over the last decade. Where previously the drivers were around cost, they are now focused on improved management of information risk. In the context of legal and compliance, this risk includes primarily security, data protection and litigation risk. Companies want to better manage information risk by deleting data that is expired – meaning, there is no legal, regulatory or operational requirement to keep it, and it is not subject to any existing legal hold.
The conversation then turned to blockers. Organisations often struggle with ownership – no one wants to take on a large multi-year programme to delete data, as well as fund it. No one in the business steps forward to take charge. Legal departments tell Lighthouse that they don’t believe they should be the authority for disposal and that this responsibility should lie with the business. On the other hand, the business says it cannot act without input from legal because of potential legal holds, for which it may have little to no visibility. Compounding this challenge is the fact that legal hold “lists” often times lack precision on the exact systems under hold or underlying storage location, making it difficult for IT to manage. Also, legacy systems often cannot account for today’s requirements for retention, deletion and legal hold, which renders the management of these items tedious and time consuming.
Participants commented that, for various reasons, people pass the baton. What is important is figuring out for your organisation what kind of executive sponsorship and structure is going to be the most effective. This might include two sponsors from different functional areas, such as legal and IT.
There needs to be recognition early on that there are many owners responsible for deletion, including individual employees who have a duty to comply with policies and familiarise themselves with basic records management principles. If the correct structure is in place it takes pressure off a single human being or organisation to be the one point of failure, which is the risk many fear when approaching data disposal.
Ultimately, the business plan for a defensible disposal programme should articulate the value to the organisation, the risk of doing nothing, and the cost and impact not only on your business unit but the entire organisation.
The second big blocker is records retention policies and procedures. Many organisations don’t have a current records policy, which includes a retention schedule – often it is out of date and doesn’t include recent regulations that may govern recordkeeping while others don’t manage things in an efficient way.
Participants discussed that, the only way to remove the records blocker is to make sure that the policy is current with the retention schedule reflecting recent regulations.
It should be aligned across business groups so there’s less room for error and confusion and it needs to be managed in a way that contemplates disposal.
Transition to the cloud
A records clean-up project is one way to remove the blocker – usually, it can be sponsored independently by the function that is responsible for records management.
The transition to the cloud is often a trigger for a records management clean up due to the cost of migration and new tools that allow for retention and disposal. Notably, this includes auto-classification, which relies upon technology to identify documents that contain certain content and automatically assign a label or a policy that has pre-defined retention (or other protections). Participants acknowledge that this is the future, although today, is difficult to apply wholesale.