How to Implement a Defensible Disposition Strategy
Enforcing defensible disposition into your Information Governance strategy is crucial to the success of any organization. The accumulation of information, whether in hard copy or digital files, grows every day at an exponential rate.
Organizations are unsure of what data to keep, what to dispose of, and how to do it. However, failure to dispose of data properly results in over-retention, which can lead to legal ramifications.
What is defensible disposition?
Defensible disposition is part of your Information Governance strategy and a proven way to control your information by actively sorting out what data needs to be stored from that which can be safely disposed of. It involves the assessment of risk associated with each individual record based upon predetermined retention parameters. Once data is determined as no longer needed for an organization, it can be sent for secure destruction.
The Risk of Over-retention
Retaining all of your organization’s records may seem like the safest route to protect your business information against unexpected future threats. However, most companies don’t realize the associated risk of holding onto excess data, whether it’s in physical or electronic format.
In a recent Ponemon Institute/IBM Security study, it found that the average cost of a data breach is $8.19 million – or $242 per record. Globally, the healthcare industry possesses the highest breach costs, with mitigation costs averaging $6.45 million.
Over-retention of records absorbs valuable resources throughout an organization. Not only does over-retention slow down the production of your staff with minuscule filing/refiling activities, but it consumes prime office space. You can avoid these inefficiencies simply by implementing defensible disposition into your Information Governance program.
How to Build a Defensible Disposition Strategy
A defensible disposition strategy is a natural stage of the information lifecycle. It provides the consistency, transparency, and predictability of the disposition of records in the context of business and legal compliance. Here are a few steps to get your disposition program started:
1) Determine Your Disposition Targets
A smart way to kick off your disposition program is by identifying all of your data targets. At this stage, it’s crucial to receive input from various departments such as legal, IT, management, HR, compliance, and executive management. Receiving buy-in from multiple departments allows you to gain a universal understanding of how each department uses information in its business processes.
Rather than analyzing the oldest information at the beginning, work your way backward by reviewing new information first to get it underneath control sooner. Be sure to review your records policies, retention schedules, and disposition policy for any updates that are required. Additionally, it’s recommended to assess the regulatory, legal, and business requirements for storing your information.
2) Set a Destruction Plan for Short-term Documents
Remember that your disposition plan is not a one-time event and could take months, even years, to implement. During your assessment, it’s recommended to allow your employees to save their working documents in a central repository.
Working documents are short-term, transitional documents that staff needs to complete their jobs. As soon as materials are no longer needed, delete them after an established time frame, such as every 2-3 years.
3) Develop Your Disposition Strategy
Before discarding information, you’ll want to consider how you plan to dispose of it. Rather than deleting all of you obsolete documents at once, try setting parameters for deleting information in stages.
During the development of your disposition strategy, you may want to:
- Seek legal counsel to ensure compliance with regulations
- Establish policies for temporary working documents
- Plan meetings to review employees’ working records to confirm they’re deleted according to retention schedules
- Clean out email inboxes according to rules
- Have your IT department use crawling tools to identify data ready for deletion
- Categorize similar records into groups (i.e., invoices, employee, department)
4) Form a Technology Plan
With the advancement of information technology, it has become easier to ensure information is reliable and protected. Forming a technology plan allows you to use available software to access and dispose of information in your organization.
By working with an information management vendor that offers inventory management software with retention schedule features, you can manage and track information assets throughout their lifecycle. For documents that have met their retention period, securely destroy them using professional shredding services to comply with federal and state disposal laws.
5) Time to Execute
The execution of your disposition plan requires both time and patience, but don’t lose focus. Remember that disposition is an essential part of Information Governance, which complements and reinforces your organization’s unique business approach.
As you carry out your plan, you may want to perform an ongoing assessment of your policies, ensuring they’re up-to-date and align with your objectives.
The following steps may be included in your execution:
- Assess all records and data that needs to be destroyed
- Receive executive buy-in and departmental approval before record deletion
- Check record logs for legal holds
- Authorize approval on the final list
- Securely destroy your records
Want to learn more about how to develop your disposition program? Our experts are here to help answer all your questions.