1. Establish a corporate compliance team – don’t rely on the business to define how records should be managed in their business with regulations like the GDPR. A global enterprise will need to comply with several thousands of legal requirments for how records should be managed. The business will know the value of information over time, but the correct retention and security classification should be set by a corporate compliance team consisting of legal, compliance, privacy, IT, and information management experts.

2. Ensure compliance by design – don’t force users to manually identify, capture, and classify all your electronic records. Automate records management based on past history, role, content, storage location, metadata, and/or machine learning.

3. Go for big buckets – don’t waste time creating lots of retention schedules. The more buckets, the more options, the more errors, the more complexity. Minimize instead the number of retention schedules to make it easier for users and machines to pick the right retention.

4. Ensure your corporate requirements cover your local requirements – don’t waste time and resources implementing different retention schedules for different locations. Set your corporate requirements based on the toughest requirements. For example, if financial information needs to be kept minimum 10 years in the EU, and 7 years in the US, make then 10 years your corporate retention requirement. If HR files need to be deleted maximum 5 years after an employee leaves in the EU, and never in the US, make then 5 years your corporate retention requirement.

5. Get rid of disposition reviews – don’t waste time on manual disposition reviews at the end of the retention. A manual review may make sense for Iron Mountain boxes, but not individual records. As an example, 10% disposition reviews of 10 mill records with each review taking 15 minutes, is 31,250 days. Do automatic disposition for records that can’t be kept permanent.

6. Minimize the use of event-based retention – don’t complicate the user experience and waste IT resources on event-based retention unless absolutely necessary. Event-based retention requires users to add unique metadata to identify the relevant records, e.g. employee number, agreement number, and triggers to be established to start the retention, e.g. employee leaving your organization, agreement has expired. Try instead to rely on data-based retention based on information lifespan.

7. Automate the disposition of non-records – don’t waste storage space, clutter search results, and increase eDiscovery costs by storing ROT (redundant, trivial, outdated) information forever. Ensure all information has a lifecycle, not only records. Do automatic deletion of non-records if they haven’t been modified in 3 years.

Feel free to contact me if you need help improving and automating your compliance program.