This is the third in our series of articles looking at the proactive application of the tools we call e-discovery. This series is split into the proactive and reactive uses of e-discovery. In our last two articles ('Focus on proactive uses for eDiscovery' and 'Focus on Proactive Uses for eDiscovery: good governance') we suggested that ‘Proactive e-discovery’ can be seen as a form of ‘risk management’. By taking action either before any potentially harmful event occurs, or after it has occurred, but before it is brought into the public domain, companies can avoid or mitigate the potential fallout.
This article focuses on effective data management, exploring the ways in which e-discovery can assist in establishing an effective data management policy. Effective data management can be extremely important – having an effective document retention and destruction policy can be very beneficial, for example because it reduces the cost and space required in a retain-all policy.
There are, of course, different requirements for data retention across different sectors and jurisdictions. For example, with the implementation of the hotly debated Data Retention and Investigatory Powers Act, commonly known as DRIP, some telecoms operators may be obligated to retain customer records for up to 12 months, which could be a very high volume of data. There are also specific obligations on, for example, law firms and financial service providers.
Of course, all companies must abide by these statutory and regulatory requirements. However, there are various data management options for businesses not affected by such restrictions, which may also apply to regulated businesses on their unregulated data. We will provide a brief overview of some of the key advantages and disadvantages of three of the most commonly employed data management systems.
First would be the ‘Retain All’ policy, which pretty much does what it says on the tin. Many companies take this approach, as they believe it alleviates the risk of deleting or losing data that they may require down the line, for example in legal proceedings. However, retaining all your data takes up a vast amount of computer space and requires IT management, costing time and money.
It also leads to a potentially higher risk for the company should the system crashes or be hacked. This is because if a company loses data of which it is the considered the ‘custodian’, it can be fined a considerable amount. If a company ‘retains all’ its data, even data which is out of date or no longer of use, this can contribute to an increase in the potential fines imposed if such data is lost.
For example, an insurance company was fined £175,000 for having lost credit card details to a malicious software virus. The level of the penalty was more severe due to the fact the company had retained the old credit card details of past customers, even though many of them were from expired cards and accounts.
Another option is the ’User Retention’ policy whereby users are responsible for their own data deletion, albeit with guidelines in place. These guidelines will be bespoke to the specific organisation. However, it risks user error and it is unpredictable. It can also be a drain on IT resources, who have to train and monitor the users.
The final option considered here is the Fixed Periods policy, whereby data is automatically deleted or archived after a certain amount of time. This is a secure system and avoids the unpredictability of the User Retention policy, but there is a risk that certain information – if it is off the specific server – may not be deleted effectively and other information may be negligently deleted.
The issue of effective data management will become more prevalent upon the coming into force of the new European Data Protection Regulation. This will impose far greater fines on data controllers who mishandle the data they are responsible for. This only increases the importance of having a secure and robust document management system in place.
So how can e-discovery help in testing whether a data management policy is robust and appropriate for the company? The e-discovery team, including both the electronic platform and the legal advisors, can help identify the risks to each individual business and, whilst considering any requirements on the business, help create an effective data management policy. This will include creating document retention and destruction policies, including advice on any document holds that may need to be put in place (e.g. due to impending litigation). Through e-discovery a company will be able to thoroughly analyse just how much data it currently holds and will be able to ‘stress test’ any new policy to ensure it is effective.