Governance

The Chief Compliance Officer (CCO), CIO, VP of Legal or some other senior executive is generally deemed responsible for deciding what data is important to the organization and establishing policies for managing that data over its lifecycle. Governance requirements are simply those retention/disposition requirements that are not mandated by the government but are internally imposed, generally as part of best practices.

Generally it is easy to decide what needs to be retained. Data such contracts, customer invoices, financial records, customer lists, hr employee records, etc. Once this decision is made there are two big problems to deal with and they are deciding upon the retention duration and disposition execution.

Retention is simply how long to keep a class of data. For instance how long should an employee’s HR record be kept once the employee leaves the organization? How long after the execution of a contract does it need to be retained? In some cases there are government regulations or industry norms to follow and in others it boils down to a benefit versus cost versus risk equation. Email is by far the thorniest of all content to decide retention a retention period.

The second problem is how to enforce the retention policy with data disposition. Courts frown on corporate policies that are not consistency enforced. If you are not using an archiving system with retention and disposition automated capability this is a thorny issue. How will IT capture, monitor and execute the policy? How will the records management staff validate that the records management policies are being followed? It has been my experience that this is dialogue is like having a classical music critic talk to a rap artist. Even through they CAN speak the same phonetic language they CAN’T understand each other – and this is one of the tar pit issues that corporations are neglecting to address.

The organization’s policies for retention, disposition and legal hold need to be understood PRIOR to buying an archival storage system. This requires getting the stakeholders and implementers into a room and hashing it out. Many times in my career I have been called by customers after they purchased something asking why they can’t do a particular task with their 6-9 month old archive system. For example most archival storage systems enable the setting of retention at either the archive, volume or directory level. Therefore, ALL files in that container have the same exact identical settings.

Buyer Alert: The question to ask the vendor is whether the retention clock is triggered by the original file create date attribute or the date when the file will be ingested into the system. If the retention policy is 7 years for a class of data and the file is 5 years old when the new archive system is installed the remaining retention time is 2 years. Thus if the archive system manages retention based upon ingest date it should not be comingled with new files in that class of data. Rather a second archive, volume, etc needs to be setup with retention of 2 years and one for 1 year, etc.

How to manage this issue needs to be taken into consideration when planning the migration of the data from the legacy system to the new archival storage system. Can your migration project apply filters to data so that based upon the filter policy it gets directed to different target locations?

Just because Governance Rules are internally decreed does not mean that adhering to them will be easy. Therefore it is advisable for the person or group that is responsible for establishing the retention policies to publish a draft proposal. Then have a candid discussion with IT and other stakeholders as to the practicality of executing the policies prior to publishing the final policies.