The evidence shows that major players in the legal field have been surprisingly slow to commit to a comprehensive data retention policy. The American Bar Association’s 2017 Legal Technology Survey Report found that only 60% of respondents “have a policy to manage retention of information/data held by the firm.” For firms with fewer than 50 employees, the numbers are even lower: 45% for solo respondents, 57% for firms of 10-49 employees, and 53% for firms of 2-9 employees.
A substandard data retention policy is risky in any field, but especially when it comes to legal work. Firms must ensure that former employees don’t have access to data when they leave, data is organized and stored securely, and workers have consistent standards for the use of personal devices.
Here are five steps for the implementation of a thorough data retention policy:
1. Conduct a data audit.
Data oversight is one of the most important components of retention, though it can be challenging to track who is storing and interacting with content. Take stock of where data is and how this varies on a departmental basis. Data might be housed in the cloud, on-premise, and in the form of print documents. Ensure employees are held accountable for the data they produce and its proper storage.
2. Simplify data classification.
Many data classification protocols are complex and don’t always yield practical results. Rather than create many granular classifications, firms should create unilateral standards for protection. Whether the data is client-facing or financial, it should be housed on a secure platform with access controls to limit the number of end-user touchpoints.
3. Outline retention rules.
Poorly rendered “bring your own device” (BYOD) policies can make it difficult to track where data lives. As of now, only 42% of firms have taken the first step and written specific BYOD policies. If possible, prioritize retention rules that move data offline and to secure environments.
4. Implement the policy.
From transmitting sensitive data over public WiFi networks to storing unsecured data on personal devices, vulnerabilities abound. To keep clients safe and avoid a data catastrophe, businesses within the legal sector must communicate the value of a data retention policy to their employees. The policy should detail the life cycle of closed-case data. By communicating these expectations, employees are more likely to engage in compliant behavior.
5. Audit the processes.
Following the implementation of a data retention policy, conduct an annual audit. This allows time to review current processes, address systemic concerns (if any arise), and amend policies to account for organizational changes, personnel growth, etc. Audits also provide an opportunity to reward employees for compliant behavior.
These five steps can serve as a guide for companies working to implement data retention policies. Don’t fall prey to the possibility of losing track of company data and who has it. Keep clients safe and take protection seriously.
