The evidence shows that key law players have been surprisingly slow to commit to a comprehensive data retention policy. The American Bar Association’s 2017 Legal Technology Survey Report found that only 60% of respondents “have a policy on how to manage the retention of company information / data.” The figures are even lower for companies with fewer than 50 employees: 45% for individual respondents, 57% for companies with 10 to 49 employees and 53% for companies with 2 to 9 employees.
An inferior data retention policy is risky in any area, especially when it comes to legal work. Organizations need to ensure that former employees do not have access to data when they leave, data is securely organized and stored, and employees have consistent standards for using personal devices.
Here are five steps to implementing a thorough data retention policy:
1. Perform a data audit.
Data monitoring is one of the most important components of retention, although it can be difficult to keep track of who is storing and interacting with content. Take an inventory of where data is located and how it varies on a departmental basis. Data can be stored in the cloud, on-site and in the form of print documents. Make sure employees are held accountable for the data they create and how they are properly stored.
2. Simplify data classification.
Many data classification protocols are complex and do not always produce practical results. Instead of creating many granular classifications, companies should create one-sided protection standards. Whether the data is customer-centric or financial, it should be stored on a secure platform with access controls to limit the number of end-user touchpoints.
3. Outline the retention rules.
Poorly rendered bring your own device (BYOD) policies can make it difficult to keep track of where data is. So far, only 42% of organizations have taken the first step and written specific BYOD policies. Whenever possible, prioritize retention rules that move data offline and into secure environments.
4. Implement the policy.
From transmitting sensitive data over public WiFi networks to storing unsecured data on personal devices, there are numerous security loopholes. To keep customers safe and avoid a data disaster, legal sector companies must communicate the value of a data retention policy to their employees. The guideline should describe in detail the life cycle of data in closed cases. By communicating these expectations, employees are more inclined to conform.
5. Review the processes.
Perform an annual review after implementing a data retention policy. This gives time to review current processes, address systemic concerns (if any), and change policies to reflect organizational changes, staff growth, and so on. Audits also offer the opportunity to reward employees for compliant behavior.
These five steps can serve as a guide for organizations working on implementing data retention policies. Don’t fall victim to the possibility of losing track of company data and who has it. Protect your customers and take protection seriously.