Manage Learn to apply best practices and optimize your operations.

Records retention management: Arm yourself against regulatory scrutiny

Learn how to build a records retention management system that protects you against regulatory scrutiny, satisfies e-discovery requests and manages capacity.

What you'll learn in this tip: Learn the 10 steps to building a strong records retention management system that...

satisfies e-discovery requests and protects your firm against regulatory scrutiny.

A reliable records retention management system is an indispensable weapon against increased regulatory scrutiny and litigation. A bulletproof records retention program that satisfies government regulatory requirements and court-ordered e-discovery requests includes a solid data archiving system and smart data retention, deletion and management policies.

"The tool to combat [ongoing data growth] is records management because it's the [records] retention schedule that gives an institution permission to get rid of the junk," said Barclay Blair, president at ViaLumina Group, an information governance consulting company.

Building a records retention system that includes data from multiple sources such as files, email, customer-relation software, accounting and social media can be daunting. However, following these 10 steps can help you build a strong records retention management system.

1. Try an SRM tool for transparency

According to Greg Schulz, founder and senior analyst at Stillwater, Minn.-based StorageIO Group, a storage resource management tool (SRM tool) can help you discover relevant networks, devices, applications and data repositories in your environment. These tools can also help assess and manage your data growth.

Jeff Boles, a senior analyst and director of validation services at Hopkinton, Mass.-based storage industry analysis and consulting firm Taneja Group, recommends that IT administrators not only capture everything in their current environment, but think about the future.

"Look beyond the bounds of this single system you're building," Boles said. "How you're making information portable; how you're trying to extend value from information outside the enterprise walls; and how things like the cloud, for instance, might come to play inside your retention architecture."

2. Define the scope of your records retention system

What specific issues are you addressing with your retention system? Are regulatory requirements forcing you to implement a records retention strategy? Is litigation a concern? Your retention system could turn into a bureaucratic nightmare without the proper focus and direction. And don't forget a good data deletion policy that can get your business records retention in order and help fight escalating storage capacity needs.

Schulz said establishing the proper scope of your system will help determine which departments will be involved and how a system can meet legal, business and storage optimization needs. "One of the most common mistakes is the perception that record retention is only for regulatory compliance purposes," Schulz said.

Taneja Group's Boles also recommends clarifying how accessible the data must be once it enters the retention system. Are there records that must be securely locked down for regulation purposes and other data that must remain somewhat accessible, such as e-discovery records? If so, consider duplicate back-end storage systems with different levels of access so the records you need remain available. If some data needs to be in both systems -- locked down for auditing purposes, but still necessary for business needs -- it's a good idea to replicate that data between the systems.

3. Check your toolbox before buying more

When setting up your records retention management system, StorageIO Group's Schulz recommends taking an inventory of your existing assets. You might already have technology that can help build your retention system, including SRM, data movement, automated tiering, data archiving and document management tools. Once you know about your existing tools, determine which additional tools you'll need to acquire based on the scope of your records retention system.

"A common mistake is racing out and buying the tool and then figuring out what you're going to do with it," Schulz said.

Besides knowing what you have, you must know what you need. For example, if you have one e-discovery situation a year, you don't need a multimillion dollar solution.

4. Records retention is not the same as data archiving

Because a legal or compliance officer is usually driving the bus, if you don't keep storage and overall IT needs in the discussion, they could quickly be forgotten or misunderstood.

For instance, Kenneth Chin, a research vice president at Stamford, Conn.-based Gartner Inc., said many people confuse data archiving systems with records retention systems. Data archiving systems will store your data for long periods of time, but records retention systems manage files with greater granularity so you can establish detailed records retention schedules. Records retention management systems are often features of larger content management solutions.

ViaLumina Group's Blair said you should make sure everyone understands the legal difference between record retention and record preservation, which have different requirements and can cause a lot of confusion.

"Retention refers to what we do during normal business operations," Blair said. "Preservation is what we do when normal business operations are suspended because we have litigation or a regulatory investigation. In the retention scenario, we keep and throw away stuff based on an opinion about its value. In the preservation world, if it's responsive and relevant to the litigation, the law is clear that we keep that until the litigation has resolved. I talk to a lot of IT people who conflate the two concepts."

5. Establish a master records retention schedule

Blair stressed the importance of setting up a reasonable records retention schedule that won't overwhelm your users or bog down your network.

He strives to create retention schedules with fewer than 100 entries, even when he works with multibillion-dollar companies.

If your organization is too large or has too much data to delineate by record, you should manage them at the systems level. "The reality is that it may not be practical to manage records at the document or record level," Blair said.

Many records may exist in multiple systems. For example, email messages can be found in email systems and customer relationship management (CRM) systems. You may decide that all email messages sent to customers will only be retained through the CRM system, not both. Just make sure the designated system captures all the required records before deleting those records from other systems.

6. Do a proof of concept

Don't forget to check how easy it is to remove a records retention management system from your environment and get your data back. "The trend, more and more, is keeping information for longer periods of time, particularly if it's data that doesn't put you at risk," StorageIO Group's Schulz said.

In addition, you should ensure that your system has an easy data migration path if you upgrade or switch vendors.

7. Make sure the storage group's voice is heard

A records retention implementation usually isn't launched by IT, but by the legal or compliance office. Unless somebody from the storage group becomes active early in the process, data storage can become an afterthought in the planning phase -- and that can make things difficult for everyone when it comes time to put the plan into action.

Storage should be represented on an interdisciplinary team that will design a comprehensive system that covers all the necessary networks, applications and data custodians.

8. Automate your records management solution when possible

Gartner's Chin recommends using record and data management systems with as many automation capabilities as possible to remove the possibility of human error. "You really can't implement a records management solution in today's times without automating as much of the process as you can," he said. "That's one of the biggest challenges we see."

9. Educate and train your users

You may be able to automate some of the retention and deletion process, but not nearly all of it. Users will likely have to make some of the decisions, so make sure they're up to speed on the policies and processes.

"If you're talking about a records management initiative, you're talking about involving everyone within the organization because everyone is generating records," Chin said. "And getting users to understand the need and buy into the system is one of the biggest challenges you face."

10. Establish an auditing program

All the work you do implementing records retention management will be for naught if you can't prove to the world that your system captures and secures all your relevant business records against alteration and deletion.

Brian Babineau, a senior consulting analyst at Milford, Mass.-based Enterprise Strategy Group, said you must be able to prove to government regulators and the courts that the records retention program preserves the integrity of your business records. So beware the old legal saying: "It's not what you know, it's what you can prove in court."

BIO: Todd Erickson is a News and Features Editor for the Storage Media Group.

Dig Deeper on Data storage compliance and regulations