DaveWentzel.com            All Things Data

What is a Data Retention Plan (Part 3)

This is Part 3 of my "Data Retention Plan" series.  If you are a data architect you really need to understand data retention from many different perspectives.  In the first post I covered technology considerations for data retention.  These are probably no-brainers for most data architects.  In the second post I covered some of the functional issues around data retention that I have seen.  In this post I want to cover ensuring compliance and the bare minimum you should know as a data architect in regards to data retention.  This is the integration of the functional and technical concerns.  

Electronic Discovery Requests

Electronic discovery refers to the gathering of information stored on computer systems (aka Electronically Stored Information or ESI) during the litigation process.  It doesn't matter what policies your data governance team has mandated if no one knows how to handle an e-discovery request.  

Your data governance team should insist that every IT employee never destroy data unless some kind of documented audit trail, signed off on by the data governance team, is followed.  Even if an IT employee is threatened with termination from a superior, the process must be followed.  Never destroy data like Arthur Andersen did.  It is best to have employees sign off that they have been given the plan, at a minimum.  

Obviously you first need to know what to put in your e-discovery plan.  You should first research and comply with Rules of Federal Procedure 26.  This should be your basic outline.  Rules of Federal Procedure 16 is also relevant.  These rules ensure you are releasing "just enough" information to fulfill the request, and nothing more.  This is important.  You certainly don't want to aid a plaintiff who wants to go on a "fishing expedition" needlessly.  Your legal department will need to help you determine what will fulfill the e-discovery request, but a familiarity with these Rules will help you help yourself.  

Civil Depositions

Most data architects and data governance team members will not need to participate in civil depositions, but it's helpful to be familiar with the rules here as well.  Rule 30(b)(6) covers civil deposition rules.  I would definitely advise you to glance at the rules now and know them by heart if you ever need to be deposed.  Your legal team will definitelyd be involved at this stage.  

Ensuring Compliance

How do you ensure compliance with a data retention plan?  Firedrills are the easiest method and come in at least 2 flavors.  First, there are disaster recovery firedrills.  Here we are ensuring that from a technical perspective we can rebuild any data we would need to in an effort to satisfy a discovery request.  Second, consider a data retention firedrill where you pretend a electronic document discovery request has been received and your team carries out the request as quickly, thoroughly, and transparently as possible.  Your legal department and data governance team should be able to mock up some scenarios where a request will come in for data.  You should assume outliers during this process, such as subpoenas being received by your data center and not your legal department.  Make sure they respond appropriately with the correct authorizations.  

Conclusion

I worked for a Big Four (it was Big Five at the time) firm when the Enron debacle hit.  I know from experience how the lack of a good data retention plan and data governance team can swamp not just a company, but individual reputations.  

For More Information...

Add new comment