Compliance and data risks are hitting companies from all sides. New and expanded legal and regulatory recordkeeping regulations require more records to be retained and, in many cases, for longer periods. New and emerging privacy rules require that personal information needs to be protected and deleted when there is no longer a legitimate business need. Increasing overretention of paper—especially electronic information—places companies at risk during e-discovery. This occurrs in an environment where many employees spend the majority of their time working from home and seemingly want to save all their email, files, and other electronic information forever. This overretention increases data storage burdens and increases compliance risks. Worse, many companies have so much electronic information everywhere that they are not only noncompliant but so disorganized that employees can’t find information they need in the clutter.
Traditionally, document retention and disposition are handled by a records management function. Yet, these newer challenges are not limited to records retention and disposition. In response, many companies are launching comprehensive information governance programs. These initiatives combine previously siloed records management, e-discovery, privacy, and other data security programs into a coordinated program with single workstreams that address multiple compliance regimes.
While clearly compliance should be involved as organizations upgrade records management functions in information governance, the question is raised: Who should own it? And by the way, who pays?
Older management approaches are not working
Most companies have traditional, siloed records management practices, somewhat disparate from privacy, information security, and technology programs. Yet, in today’s environment, this traditional approach falls short in three distinct ways. First, many traditional records programs rely heavily on manual employee processes. They are built on paper-based processes and depend, to a large degree, on employees to manually classify, tag, or move records into certain storage areas. These types of processes worked fairly well for paper. But today, more than 95% of the information a company receives is electronic. Even most paper documents are copies of electronic information. Paper-centric processes work poorly with electronic information. This is often the source of huge compliance gaps in records retention programs.
Next, standalone records programs can—and increasingly do—conflict with other compliance requirements. For example:
Records management programs’ retention requirements can conflict with privacy rules requirements for limiting the retention of personal information.
Records retention processes that require ongoing deletion can undermine information that should be preserved under legal holds.
Intellectual property management may be undermined by e-discovery data cleanup projects that inadvertently delete files and emails documenting the organic development of intellectual property.
Data deletion initiatives can sometimes delete valuable business information employees need to do their jobs.
Finally, many programs ignore the most serious effect of electronic information overload: employee productivity. The average employee sends and receives more than 165 emails per day and creates or handles more than 20 files. Believing that they may need this information at some point in the future, many employees adopt a “save everything forever” approach. Employees who believe they need to save everything get caught in a trap of their own design (or lack of) and discover it is difficult to find valuable or relevant information within the clutter. Our surveys have shown that employees waste, on average, three hours per week—typically five minutes at a time—looking for useful information within their vast stores of redundant, obsolete, and transitory files. Poor information management ends up being a significant drain on employee productivity.