Data Retention: Law & Technology

The approach recommended by this tutorial is people and process centric. Platform (i.e. technology) initiatives only make sense after the critical people and process issues have been addressed. That said, the approach does include the development of a technology framework within which platform solutions can be implemented. In short, the proposed approach is integrated and comprehensive. It encompasses the legal, business and technical implications inherent in the development of an effective ERM policy.

Also, the approach is premised on the fact that the development of an effective ERM policy can only be accomplished via a collaborative project based initiative. There is far too much complexity for policy development to proceed sans the input of key organizational stakeholders. This implies sufficient process to meet organizational objectives, but no more. It does not imply the other extreme, which typically mandates committee formation, meetings and study. The latter tends to lead to "analysis paralysis" without much being accomplished despite the expenditure of significant time and resources. The recommended approach strikes a balance that is designed to drive results.

Before further discussion, it is critical that key terms be defined. The following list provides more precise definitions of key terms used throughout the remainder of the tutorial.

1. Record: any recorded information that is created, received, or maintained by an organization in the transaction of business, in pursuance of legal obligations, or in the conduct of day-to-day activities and kept as evidence of such 
2. Record Type (RT): a classification of a record that fits into the organization's record taxonomy (e.g. contract, accounting, legal, etc.)
3. System of Record (SOR): is the electronic information storage system which is the authoritative data source for a given record or RT
4. ERM: is the conceptual and electronic implementation of the processes that control the end of life of an organization's records
5. ERM Policy: is the legal, operational and business governance mechanism that controls the ERM

Notice that the policy definition is quite broad. This is as it should be. A policy must represent more than just a document. It must be a "living thing" with the requisite electronic enforcement capabilities. Sans the latter it becomes vacuous for all intents and purposes. That is, it is likely to be of little value either operationally or legally.

There is simply no way that a document alone can provide operational value from day to day, quarter to quarter, and year to year. Likewise, no credible "good faith" legal argument can be built with a document as its only foundational support. In order for an ERM Policy not to become just one more organizational dead letter, it needs "electronic and procedural teeth."

The process by which this is accomplished is discussed in the next two sections: 1) Capturing the "As Is"; and 2) Developing the "To Be." However, before proceeding it is instructive to consider for a moment what is meant by a "living document" and the abstraction represented by the phrase "electronic and procedural teeth." A good way to think about this is embodied in Peter Senge's seminal book "The 5th Discipline" and the Systems Thinking concept developed therein. A good summary of the book's foundational concepts is found here.

An effective ERM policy provides governance not merely by the operative words that it contains (e.g. a purchase order must be retained for the following period of time), but by the description (i.e. blueprint) of the system required to ensure compliance. Given that we live in an electronic world, this blueprint must describe the technological computing framework by which governance is enabled and the organizational processes that underpin it.

In other words, the policy is a "living document" with "electronic and procedural teeth" when it describes the system by which compliance is achieved and the roles and responsibilities of various organizational stakeholders required to administer it.