Eight is Enough! Eight Considerations for Defensible Deletion, Part One
Written by Doug Austin, Editor of eDiscovery Today
Does anybody remember the late 70’s TV Series Eight is Enough about the Bradford family with eight children, starring Dick Van Patten? Or am I showing my age?
Regardless, “eight is enough” is a great phrase to sum up this week’s post. As Jim Gill noted last week, a significant percentage of an organizations’ data is Redundant, Obsolete and Trivial (R.O.T.). Defensible deletion of R.O.T. within your organization is key to minimizing exposure from a compliance perspective and reducing costs during discovery. Over this post and the next one, I’ll discuss eight considerations for you to be prepared to minimize your organization’s R.O.T. effectively. Today, we’ll cover the first four considerations for defensible deletion.
Understand Why Its Important
To understand why getting rid of R.O.T. is so important, here are a few statistics for you to consider:
- Every 2 days we create as much information as we did from the beginning of time until 2003. (TechCrunch);
- If you burned all of the data created in just one day onto DVDs, you could stack them on top of each other and reach the moon – twice (SmartData Collective);
- 90 percent of records, once filed, are never referred to again, and 95 percent of references are to records less than 3 years old (ARMA New Jersey);
- 69 percent of organizational data has no legal or business value (Compliance, Governance and Oversight Council (CGOC) 2012 Survey);
- Estimates show eDiscovery costs to be between $1.5 to $3 million per terabyte of stored information (InfoGov Basics).
Most of these statistics are old, by the way. Do you think the problem has gotten better over the years? I don’t.
Address the Changing Data Privacy Landscape
Another important reason for why getting rid of R.O.T. is so important are the increasing requirements placed upon essentially every organization due to strengthening privacy laws. The European Economic Area (EEA), which is (by the way) larger than the European Union, implemented the General Data Protection Regulation (GDPR) in 2018 and California implemented the California Consumer Privacy Act (CCPA) this year. Many other states and companies are implementing data privacy laws as well, which may or may not be similar to GDPR or CCPA. And, you have regular challenges to implemented data privacy mechanisms, such as the Schrems II case that just resulted in invalidating the EU-US Privacy Shield. With individuals having the right to access their own data and the right to be forgotten (among others), it’s more important than ever to minimize R.O.T. to minimize your organization’s exposure.
Get Stakeholder Buy-In
You can’t accomplish anything within an organization without buy-in from the stakeholders. The best illustration of the relationship of stakeholders to the data within an organization that I know of can be found in EDRM’s Information Governance Reference Model (IGRM), which groups stakeholders into three categories, as follows:
- Business users who need information to operate the organization,
- IT departments who must implement the mechanics of information management, and
- Legal, risk, and regulatory departments who understand the organization’s duty to preserve information beyond its immediate business value.
Without stakeholder buy-in, any comprehensive plan to manage R.O.T. within your organization is doomed to fail.
Create an Organizational Data Map
You can’t get rid of R.O.T. if you don’t know where it is. Data mapping is simply a mechanism for knowing where your information is stored. Data could be located in enterprise-wide systems such as Sharepoint and Microsoft 365, or individual business systems used in departments, or in collections of custodians on their local drives. It could even be located in cloud-based platforms or social media sites or Bring Your Own Device (BYOD) devices or employees and others. Organizations use various tools to maintain data maps and they can range from as simple as an Excel spreadsheet to as complex as a SharePoint repository to track all changes to the data map. Choose a solution suitable for your organization and keep your data map maintained and current.
I’ll discuss the remaining four considerations for defensible deletion next week. Another IPRO cliffhanger!
For more educational topics from Doug Austin related to eDiscovery, cybersecurity and data privacy, feel free to follow, eDiscovery Today! And as part of the continued educational partnership between IPRO and eDiscovery Today, he’ll be here in the IPRO Newsroom next week with more educational content!