- Understand what your main problems are before you purchase technology.
The biggest mistake IT managers make when researching email archiving is to not fully understanding the reasons for email archiving. Often, companies are reacting to one problem of concern, such as an audit suggestion, which leads to rushing out to buy email archiving technology for Sarbanes-Oxley compliance and not taking into account productivity or storage problems. Most companies will have more than one problem that can be solved with email archiving. Whether it be regulatory compliance, litigation support or storage management, make sure you understand all of your needs before you take the next step.
- Create or update email retention policy to reflect today's business needs.
Very few companies have an up-to-date data retention policy. An effective document retention policy will address what the document retention policy covers, the company data retention philosophy, responsibilities and procedures. It will also have retention timeframes for all types of records in a company including unstructured data like Microsoft Office files, semi-structured records like email and structured records like mainframe databases. You will also want to create retention schedules that employees can easily follow and remember. Make these documents short and simple. Also document how long you will keep records (including emails).
- Periodically perform a legal or regulatory refresh.
When you have a data retention policy, be sure to review it annually. Regulations and laws change regularly, and so must your data retention policy. New regulations are created regularly as well as judicial rules of evidence. Government regulatory agencies and the courts expect companies to be fully aware of new regulations and laws.
|The 5-second rule
|Keep it simple: A policy that requires an employee to search through pages and pages of retention schedules for a specific document probably won't be followed. If it takes employees more than five seconds to decide how long a document (including an e-mail) should be retained, they probably won't do it.
- Include all stakeholders: legal, compliance, HR, finance, investor relations, engineering, production and administration.
A data retention policy affects every employee in the company and should reflect input from everyone. Create a cross-functional team that represents most business operations or departments. Interview a wide sampling of employees and departments to determine how and why they create documents; if they re-use or reference them later; and where they store the documents. This helps you create a retention policy that won't adversely affect the employees and their day-to-day work.
- Focus on similarities in laws or regulations and create "high water mark" retention lengths.
Multipage retention schedules are rarely effective or followed. Simplify them as much as possible. Most data retention requirements are for minimum retention periods. Create "high water marks" for similar types of documents. For example, retention regulations for employment records vary widely from one year to 10-plus years. It is easier for employees to follow one retention period that meets all retention requirements for all employee-related records than to try to remember many different retention periods. Creating high-water marks for retention periods will also make it much easier to adopt automated email archiving processes.
- Socialize your policy companywide.
Be sure to adequately inform employees about the new or existing policy and make it easily accessible. Many employees don't know if their company has a data retention policy or where to find it if there is one. All employees should be "trained" on a new policy, including knowing why the policy was created (legal, regulatory or other); how to use any new technology associated with the new policy; and consequences for the company and employee if the policy is not followed. Offer annual training refreshers.
- Don't attempt to teach employees to subjectively recognize "business" records.
It is very difficult to create a uniform archive across a company if you are asking employees to individually decide which records are business records and what can be archived. For example, in a company of 1,000 employees, you will have 1,000 different retention policies if you rely on employees to interpret the policy and make archiving decisions. The less complicated the policy, the more uniform the archives will be.
- Don't forget the email use policy.
Even when you have a data retention policy, you should still publish an email use policy that informs the employees of their responsibilities, including things they shouldn't do, privacy expectations and consequences for system misuse.
- Move email retention from a manual process to an automated process.
Take email archiving out of the hands of employees. Automated email archiving will ensure uniform archiving, increase employee and IT productivity and most importantly, put in place a system that can ensure no message protection if a litigation hold procedure is instituted.
- Discourage employees from creating personal archives (PSTs).
Most employees, in companies without email archiving automation, create their own "personal archives" or PSTs for many reasons. They create them for future protection, for reference or re-use. This adversely affects employee productivity. If the company is capturing email traffic, employees won't need to spend time trying to find, access and creating archives.
Bill Tolson is practice manager for Contoural Inc., an independent provider of business and technology consulting services that focuses on compliance, intelligent data management and storage strategy.