EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

The seven deadly sins of archiving digital information

November 29th, 2006 · 2 Comments ·

Previously we addressed:

Preserving access to digital information 1 – emulation or migration – risk and cost issues

Preserving access to digital information 2 – emulation or migration – risk and cost issues

As the above contributions showed, archiving is, as we all know an important issue if we want to achieve legal compliance (Login as guest to get free access).

But even if companies address the issues as outlined above, we often find that when checking up on archiving of digital information policies, procedures and successful implementation the enterprise has fallen victim to one of the seven deadly sins. In turn, the firm may be vulnerable to litigation, regulator administered fines and negative publicity that could damage the brand as well as the firm’s reputation.

We went to the trouble to write down the seven deadly sins that an organization must avoid in order to succeed in archiving digital information. Not only will this help in being legally compliant but, as importantly, avoiding the seven deadly sins will allow the organization to have access to archived information quickly and cheaply when required.

The seven sins about data retention are not listed in order of priority. Nonetheless, they indicate that there are a few things one might forget and, in turn, the whole policy is rendered useless. So consider:

_1) Assuming everybody does it the same way in the global economy

The biggest mistake IT managers make when researching archiving is to not fully understand the cross-national context of the issue. Hence, regulatory and legal compliance (Login as guest to get free access) beyond national borders must be considered (e.g., data retention) and location of customers could result in particular challenges (e.g., Califiornia – SB 1386)

To illustrate, retention regulations for employment records vary widely across countries and may go to 15-plus years in some cases. It is easier for employees to follow one retention period that meets all retention requirements for all employee-related records than to try to remember many different retention periods across countries.

As a result, creating high-water marks for retention periods is required. Such high-water marks must meet all regulatory requirements in the markets the firm does and intends to do business (see also point 3 below).

_2) Superfluously addressing legal requirements for archiving.

Often, companies are reacting to one problem of concern, such as an audit suggestion, which leads to rushing out to buy archiving technology for Sarbanes-Oxley compliance.

Unfortunately, there may be overlapping regulators, with jurisdiction over parts of the capital or insurance markets to mention two examples in addition to international regulations that the firm may have to adhere to to be compliant (e.g., Basel II)

_3) What type of records are part of the retention policy and which timelines are to be used is not clearly spelled out.

While the legal requirements determine what retention timeframes must be imposed, creating of ‘high water marks’ for similar types of documents is required. It does not make much sense to have different timeframes used across business units or regional markets or countries for document retention, since this is destined to result in problems down the road (see points 1 and 2 above).

These timframes regarding archiving and how often this happens must be set. The policy will also have retention timeframes for all types of records in a company including:

– unstructured data like Microsoft Office files,

– semi-structured records like e-mail and

– structured records like mainframe databases.

The organization will also want to create retention schedules that employees can easily follow and remember.

_4) Failing to periodically do a regulatory check-up

Very few companies have an up-to-date data retention policy. An effective document retention policy will address:

– what the document retention policy covers,

– the company data retention philosophy, as well as

– responsibilities and procedures.

But the policy requires updating to reflect new regulations and judicial rules of evidence. Government regulatory agencies and the courts expect companies to be fully aware of new regulations and laws including e-discovery.

_5) Having an up-to-date data retention policy that is too long and complex.

Very few companies have a simple and straightforward data retention policy. Failing to make the archiving and retention policy short and simple will make it difficult for employees to follow and adhere to it.

The less complicated the policy, the more uniform the archives and the easier following the policy will be. KISS – keep it short and simple will make it easier for employees to implement and follow the policy properly.

Most importantly, such a policy is least likely to adversely affect the employees and their day-to-day work.

_6) Not addressing the preserving access of digital data and cost issues satisfactorily.

Policies and procedures regarding data retention must take take into account productivity or storage problems. In particular:

technological obsolescence
compatability threat
preserving access (how long)

all require careful study. What can be accessed yesterday using certain software versions and operating systems may fail to work tomorrow or 15 years later when it is demanded by the judge.

A successful digital retention policy that assures the accessability of digitally archived documents cannot be effective if cost issues are not taken into careful consideration.

_7) Not informing and keeping everybody aware about the data archiving or retention policy companywide.

Employees must be informed about the new, changing and/or existing policy. As well, employees must understand why it was created and the legal, regulatory and other foundation of it.

As important is that employees must understand what the consequences are for for the firm when failing to follow the policy and what this means for them personally. For instance, certain types of communication should neither be conducted using e-mail, instant messaging nor VoIP to avoid having them archived and possibly used in the e-discovery process sometime in the future.



|

→ 2 CommentsTags: archiving · compatability · emulation · lllll · login · migration · obsolescence · preserving