eDiscovery Daily Blog
Need a Data Retention Policy? Here’s How to Build One
Now that most industries are going paperless, companies must create a comprehensive data retention policy. The purpose of a data retention policy is to establish procedures for labeling, storing, and deleting electronic (and physical) records. [1] Most companies acknowledge the need for a retention policy, but they don’t commit to creating one. A 2000 ABA study found that 83% of the responding companies had no established protocol for handling discovery requests. Despite this unsettling statistic, 77% of the companies expected discovery requests to increase in the future. [2] Many reasons support the need for comprehensive retention policies. One of the most pressing reasons is the explosion of ESI in recent years. For instance, corporate email alone is estimated to increase annually at a compounded rate of over 13%. Without a data retention policy, an organization in the midst of litigation would be responsible for organizing large volumes of data with little time to do so. By proactively developing data management policies, companies will avoid the pressures of looming deadlines. Ensuring that information is properly handled also minimizes a company’s risk for sanctions. [1] The following is a list of steps and suggestions for developing a data retention policy.
- Do your research on relevant laws
Certain state and federal laws mandate specific preservation and deletion practices. HIPAA and GLBA are older examples of ESI regulations enacted in the late 1990s. However, states are constantly reviewing and revising their ediscovery laws, so it’s important to stay on top of any legislation changes.
- Determine when to archive or delete data
While corporations are not expected to store every single electronic document, deletions must be orderly and purposeful. The practice of strategically deleting unneeded data is referred to as “defensible deletion.” When done correctly, defensible deletion is cost-efficient, storage-friendly, and most importantly, legal. Defensible deletion is protected by Rule 37(e) of the Federal Rules of Civil Procedure (FRCP). The rule prohibits sanctions against electronic records that were lost during good-faith deletion procedures. [3]
- Review how your data is housed
In this step of the process, it’s important to ask what, where, and how. What data types are being stored, and how should they be classified (i.e. social media, email, transactions)? What are the retention policies for each medium? What’s the purpose of preserving this information? Where is it being stored, and does this location need to be changed to a better one? How long does the data need to be stored in order to comply with applicable state and federal laws?
- Monitor your policy
Regularly review your policy to ensure that your company is following its outlined regulations. If you notice that your company is deviating from the policy’s storage and deletion procedure, fix the issue as soon as possible to minimize any legal risks. Routine audits also make it easier to make policy adjustments as needed.
- Assign accountability
Determine who will be responsible for enforcing the policy throughout the company. This person or department must be well-versed on the policy’s provisions, and they must be ready to testify in court about the company’s retention procedures. [2]
- Limit your paper trail
Consider a provision that requires electronic copies of physical documents. Some companies are still hesitant to transition to completely paperless operations. Though this hesitancy is understandable, it’s recommended to save an electronic version of all paper records. This suggestion is merely that, just a suggestion. Completely converting to electronic records is not a mandatory step in creating an effective data retention policy. However, this step would speed up the process of identifying relevant data for litigation. [1]
[1] Carlos Leyva, “Data Retention & eDiscovery,” Digital Business Law Group.
[2] “Document Retention & Destruction Policies for Digital Data,” Applied Discovery, LexisNexis, 2004.
[3] Law Offices of Salar Atrizadeh, “Electronic Discovery and Data Retention Policies,” Internet Lawyer Blog, May 18, 2020.