10 steps to a defensible disposition policy

The regulatory and legal implications of keeping data past its useful time can be severe. Old records may become discoverable in a lawsuit or create unnecessary administrative overhead. They also create clutter that complicates the task of finding information.

Having a defensible disposition strategy can help an organisation in managing its future data retention needs and create a culture of compliance. Follow these 10 steps:

1. Explain the defensible disposition policy and get buy-in from stakeholders: Deleting data can be a politically charged issue. People will resist for a variety of reasons, so it is essential to explain why the risks to the organisation mandate a disciplined approach. Stakeholders also need the opportunity to make their case for keeping some data beyond the mandatory deletion time.


2. Document how much data you start with: You can use this as a benchmark to measure progress.


3. Identify data disposition targets: You’ll need to work closely with your legal counsel during the entire process of setting up and implementing a strategy. It’s important to understand what data is covered by regulations or may have legal exposure issues. You’ll also need to understand what the precise guidelines are for data retention, as they vary by regulation and legal scenario. Use this process to whittle down the scope of data that will fall under the disposition policy.


4. Define disposition guidelines: Your defensible disposition policy should assign a set of rules for disposition. For example, unstructured data like email messages may need to be moved to a searchable archive after six months and deleted at a defined later date. Your guidelines should include justification for all decisions, particularly exceptions.


5. Create a records retention schedule: Denote the length of time each item should be retained at the finest level of detail possible. Regulators and courts tend to frown upon ad hoc destruction practices.


6. Create a metadata tagging scheme: Tagging data at its time of origin will make the ongoing disposition process much easier. Choose tags that match your guidelines and any regulatory requirements.


7. Conduct an information audit: Locate and catalog the information you have. Be prepared to apply technology tools to the task, since information may be on everything from PC hard drives to smartphones and USB sticks.


8. Identify candidates for disposal: But don’t push the delete button just yet. Stakeholders need to approve the destruction of data they control. You’ll also need to check for any holds on data or exceptions to your rules.


9. Delete and document: Use a certified data destruction vendor with secure facilities that can provide certificates of destruction. Keep these documents in a secure place in case they’re needed for legal defense or verification.


10. Implement ongoing policies: Don’t let all your hard work go to waste. Use the expertise and technology you’ve developed to make your data disposition policy part of your information governance guidelines. That way, you’ll never have to go through this exercise again.