From GDPR to HIPAA, and ever-evolving state and federal regulations, the need for clear and effective strategies for management of seemingly endless amounts of data is at an all-time high. Organizations must focus on Information Governance not only to minimize potential liability, but to improve operations and reduce costs.
However, effective information governance goes beyond managing data creation, storage, security, and transfer; it also encompasses data destruction. As the amount of data grows at an exponential rate and the use of cloud-based storage proliferates, the need for clear procedures around offloading irrelevant, outdated, or restricted information is greater than ever. Yet many organizations fail to adequately address this aspect of data management, whether out of fear of destroying the wrong information or concern about the time and cost involved in determining what to delete.
Every day organizations deal with the impact of keeping too much information. For example, most corporate, legal, and tech professionals alike have encountered redundant drafts of internal memos or prior software workflow guides simultaneously littered across email inboxes, file share sites, server locations, and even multiple workstations (both physical and virtual). Then there are the long-unused databases clogging up resource bandwidth as well as hard media with sensitive contents in need of return, wiping, or disposal. And let’s not forget information retained due to endless legal holds.
To address these problems, effective and defensible data destruction policies must consider various issues including:
- Who is responsible for data destruction?
- How can you minimize and streamline repositories for information to help avoid searching multiple locations for the same data?
- How often should you scan for space-depleting items for potential deletion?
- Do you receive client requests to destroy data and verify it no longer exists? If so, are there sufficient guidelines around documenting chain of custody and purging information in a defensible manner?
- What destruction measures are in place to ensure data is truly gone and unrecoverable? Conversely, what methods or applications are in use to ensure relevant data is not deleted?
These are just a few of the crucial questions currently posed by ever-evolving Information Governance frameworks like the Information Governance Reference Model (IGRM). The goal of the IGRM is to help stakeholders understand their role in information management for the organization. In the context of establishing data destruction policies, the questions above help illuminate the need for proper data destruction controls, ideally developed collaboratively with inputs from all key stakeholders.
CDS has experience through every element of the eDiscovery process, including helping to design effective information governance processes. Contact us for a consultation about your organization’s needs.