Saturday, March 6, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Data Retention: “Do I Really Need to Keep This?”

Navigating the Information Age Without Saving Everything

by Caitlin Kasmar
February 19, 2019
in Data Privacy, Featured
closeup of delete button on black keyboard

Data retention is a persistent challenge for in-house counsel, but developing workable information governance policies and procedures needn’t be a taxing exercise. Buckley LLP’s Caitlin Kasmar highlights the importance of being equipped with the right advice at the right time to save in-house counsel the stress of dealing with the challenges of document retention compliance.

The posture of in-house counsel toward information governance and data retention is in the midst of a noticeable and rapid shift from “are we retaining the right information?” to “please, please tell me I can get rid of some of this stuff.”

Those urgent pleas are fed not by data storage costs, which continue to decline, but by savvy in-house lawyers anticipating a subpoena or lawsuit, confronting a decade’s worth of retained emails and calculating compliance costs.

How are in-house counsel expected to advise their business clients on data retention when, in the typical company, numerous legal holds have piled up over time, executives may be effectively exempt from whatever retention/destruction policy is in place and no audit process exists to ensure records are actually deleted in compliance with the policy? The right advice at the right time can save in-house counsel the stress of dealing with these tricky — and, let’s face it, not particularly glamorous — issues.

The ideal approach to information governance and data-retention policies involves a comprehensive review of where data is stored, what technologies or software are no longer used, what archives exist and what happens to data when employees leave. This review would also examine current policies and procedures for data retention and destruction.

But in-house counsel rarely operate under ideal circumstances, where time and resources are unlimited. Instead, legal and compliance departments are notoriously cost-constrained and often prefer a more surgical approach. A more limited review, when designed correctly, can be effective in spotting major issues and solving immediate problems. For example, if there is one particular data repository that has never been culled and the data is sensitive in nature (customers’ personally identifiable information, for example) and is of limited or no real use to the company from a business perspective, such data could be tackled in a more surgical way (i.e., deleted, potentially, as long as there is no other legal or business reason to retain it).

Similarly, there are easy and automated ways to adjust retention settings on most major email and messaging systems that companies can deploy immediately to reduce what is retained going forward. (Of course, these automated settings need to be overridden in the event that a legal hold is put in place.)

The best course is to draft policies and procedures that work in practice rather than just on paper — in other words, those drafted with input from the various business lines impacted by the policy and that actually make sense in light of the company’s retention obligations and business needs — and then to ensure those policies and procedures are implemented. Implementation is, of course, the trickiest part, but once a workable policy is in place, in-house counsel, working with IT, can methodically revisit each area of the company to ensure the correct records are being retained. This can be accomplished with a hands-on approach (e.g., conducting interviews, auditing company systems) or, if the concerns about compliance and retention are less serious, by simply asking individuals or groups of employees to self-certify that they’ve reviewed the policy and have conducted whatever audit is required. Of course, as with any self-certification plan, counsel and IT should follow up with random audits from time to time to verify and document compliance.

Creating workable information governance policies and procedures does not need to be a terribly taxing exercise, and it can result in very real cost savings to the company. Third-party validation of current policies can reduce the burden on in-house counsel and ensure that company policies meet best practices that are constantly evolving. And, when the next subpoena comes in the door, the CEO and CFO will hopefully remember to thank the legal department for going through the effort.


Tags: information management
Previous Post

4 Takeaways From an Unusual Sexual Harassment Case

Next Post

FINRA’s Move to Foster Regtech

Caitlin Kasmar

Caitlin Kasmar, a Partner in the Washington, D.C. office of Buckley LLP, advises clients on risk management strategies and compliance with various federal and state laws and regulations affecting the financial services industry. As Co-Chair of Buckley’s e-Discovery Committee and leader of the firm’s FORTÉ e-discovery service, she has extensive experience negotiating information requests from federal and state investigative bodies and handling all aspects of discovery in civil cases. She also advises on information governance policies and procedures and has assisted clients in drafting or revising such policies in accordance with current best practices.

Related Posts

green and red location markers on map

FinCEN’s Registry Will Be a Game-Changer. It Will Also Place an Added Burden on Corporations.

March 5, 2021
illustration of man under giant gavel

BitPay’s $507K OFAC Sanctions Violations Settlement

March 4, 2021
The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
Illustration representing a facial recognition technology scan of a face.

Facial Recognition Technology in the Workplace: Employers Use It, Workers Hate It, Regulation Is Coming for It

March 3, 2021
Next Post
man in suit using virtual screen with regulatory compliance app

FINRA’s Move to Foster Regtech

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights