Redundant, Obsolete and trivial DataDoes Your Business Have ROT?
Redundant, Obsolete & Trivial Data
How to Get That Disposition Project Moving!
There is no time like the present to get moving with that disposition project. GDPR has been among us for a while now, and CCPA is about to embark. This article will look at reasons why we have so much data. It will identify why organizations should review, and get rid of, Redundant, Obsolete, and Trivial (“ROT”) data. Finally, it will discuss ways to get rid of ROT, and reduce the overall costs for maintaining appropriate business records.
Defensible Disposition Policy (the Why)
The policy should be in alignment with your other information governance type of policies, such as Records Retention Policy and Schedule, Legal Hold Policy, and Privacy Policies. These other policies are often cited within the Defensible Disposition Policy (“DDP”) and they work together to bolster the whole information governance program. In addition to having a purpose, scope and owner of the policy clearly drawn out, the DDP policy should address Record Retention, clearly define what abandoned and/or orphaned data means, and outline proper archival, disposition, prevention of accidental loss, exceptions or legal holds, and violations to the policy.
Further, it is critical to identify the framework used in the policy. By that I mean:
- Identification – How you are going to identify the data subjects and determine classification and ownership. (Often there is some technology used.)
- Retention – Assessing the data to determine if retention has been met for business records.
- Preservation – Review of the data for legal, tax or other exceptions.
- Disposition – Prompt and proper action taken to dispose of the data discovered.
- Repeat – Repetition of the process across data assets on an on-going basis.
This policy should include a glossary of terms and provide a process diagram that shows how the framework is used.
Defensible Disposition Playbook (the How)
Next is selecting a tool. It is likely that IT has tools like this that they use for migration or responses to litigation. Draw out what tools are in the tool belt and if no tools exist, determine what tools you might want to investigate. It is ideal that the tool is indicated in the Playbook. Once you’ve got those tools identified, here’s where your criteria come into play. Draw out in the Playbook how you will use the criteria to determine what you will disposition.
Once you have the tools identified, and can begin with an inventory of your repositories, then you can begin the scan. Work with IT and the business repository owners to verify how and when the scanning will be conducted. The repository will need to be loaded into the scanning tool and be able to provide updates as the scanning occurs. Ultimately, the outputs for the scanning will be progress reports with status and percentages.
Analysis and recommendations will be based on the scan results, this will assist in determining your targets for cleanup of the ROT. Now you will need to plan for the disposition project. Keep in mind, some content may be moved to archives, quarantined or deleted. This should go without saying, but ultimately ensure that nothing is deleted without a legal check for investigations, audits, or even “reasonably anticipated” litigation. It is prudent to obtain sign-off prior to executing the disposition project.
Last, but not least, make sure you keep the log files that confirm the successful disposition that support your reports. Retention of the log files should be drawn out in your retention schedule, to tighten everything up, and to make your process defensible and repeatable.
Rather than simply creating a list of file types and metadata attributes that you want to focus on to determine what is ROT, the criteria should include the actions that will be taken for the file types and metadata. Think of situations that you may come across while scanning the environment, such as: 1) What will happen when files stored on the shared drives that belong to former employees (such as home drives) are found. Will that just be dispositioned, or will there be a timeframe that needs to occur prior to their disposition? 2) What will happen if decommissioned application files are discovered? 3) What will happen if harmful content like ransomware is found? Working closely with IT, may help you determine the criteria, as they have intimate knowledge of the environment.
Disposition Project Plan
Be specific and use a RACI chart to draw out who will be doing what. Draw out the priorities, objectives, goals, and actions as they align with the Policy and Playbook. This could indicate areas of the business that are at the highest risk of having data that could expose the organization. With the scanning results, you can determine if that ROT should be first, or last to be dispositioned. The project plan may not be formally documented, but you should know what your goals and objectives are overall.
Remember that even though change is challenging, disposing of electronic data (either records or non-records) is as important as disposing of your physical records and non-records! It is a critical time in history for us. We must begin the process that will enable organizations to dispose of ROT. As RIM and IG professionals, we need to save costs by minimizing ROT within the organization, reducing any exposures to risk, and helping to safeguard the organization’s brand and reputation. A fellow colleague of mine, and fellow ARMA Chicago member once said, “If you don’t have it, they can’t hack it!” How true…
Get In Touch For a Free Consultation
Records Management + Information Governance
Records Policy programs
Retention Schedule Development
Records inventory analysis
Inventories + Archiving