In principle, document retention should be a straightforward part of a responsible information management plan. You work out what you want or need to keep, archive it securely and destroy it in line with national guidelines. Job done, what’s next?
The reality couldn’t be further from the truth.
First of all, Europe is awash with complex document retention laws. There are different laws for different types of records ─ ranging from a few months to 20 years or more. These laws differ between countries and between industry sectors and, most confusingly of all, keep changing.
Documents that are kept for too long risk breaching data privacy and protection laws, while documents that are destroyed too soon could put you in breach of e-disclosure law. So it is hardly surprising that 35% of mid-market firms in Europe have opted to keep all paper and electronic documents ‘just in case’. In terms of industry sector, 39% of financial services firms and 45% of manufacturing and engineering firms hang on to everything.
Nowhere is the impact of this widespread confusion and concern more apparent than in the case of digital communications such as emails, text messages and social media posts. In contrast to the approach above, many companies appear to be responding to these new record formats by not keeping track of them at all.
A recent study by global information trade body AIIM found that while 73% of firms now include emails in their corporate retention policies, most rely upon manual processes for deleting them. In 55% of firms, employees are left to save or delete emails as they see fit. Such an unmanaged, employee-led approach is particularly risky in view of the growing number of high-profile lawsuits that have relied extensively on email evidence, such as the recent phone hacking scandal.
An additional problem with implementing retention strategies for electronic communications such as email is that multiple copies are likely to exist on desktops, mobiles and laptops – and it can be near impossible to track down and manage all of these.
It gets worse. What should a company do, for example, when the information it needs was included in a text message exchange carried out on a work phone but deleted when the employee left the firm?
For most firms, social media content management isn’t even on the radar. The AIIM study found that less than 15% of organisations include external social media posts in their company retention schedules. This failure to treat social media as valid company records could be down to a number of factors, including a practical need to offset risk against resources. For many firms, however, the fast-moving world of social media can simply seem too difficult to track or capture.
Yet, of those firms that did treat social media posts as records, a third has made use of them. A small but significant 27% had used them to resolve a customer complaint or dispute and 17% had used them in staff disciplinary action – two areas of considerable reputational importance.
It is perhaps telling that, according to AIIM, a third of firms haven’t given anyone overall responsibility for the governance of instant messaging, mobile and external social media content. This lack of ownership suggests that the situation is likely to get worse before it gets better. This is extremely worrying in today’s increasingly litigious business environment, where both companies and consumers better understand and insist upon their rights.
Are we heading for a perfect storm as organisations are hit by more information yet insist on either hoarding or ignoring it so as not to fall foul of the constantly changing, complex retention laws? The fact that it is as dangerous to hold something for too long – such as personal data or unsuccessful job applications – as it is to destroy something too soon – such as email correspondence required for a lawsuit or details on health hazards – is clearly overwhelming many firms.
Legal organisations and information management firms have a duty of care to help companies navigate their way through this rapidly evolving landscape and seize control of all their information. The line between too soon and too late is a very fine one and we all balance better with something solid to hold on to.
Blog supplied by Christian Toon, who is responsible for developing and implementing information security policy, standards, goals and strategy for Iron Mountain Europe, provider of storage and information management solutions.