In Part 1 we detailed the numerous and growing risks that law firms face when excess information isn’t systematically minimised, while acknowledging the daunting task firms face in tackling the issues once and for all. To suggest a way forward, in this piece Chris Giles describes the five basic steps he recommends firms take to start scaling their data mountain.
There’s no question that law firms store a lot of content, in all types of formats and locations. The trick is not to be overwhelmed by the magnitude of the task of taming data, but rather to approach it in a systematic and methodical way. Hence, we recommend the following five steps:
1 - Building a committee
To successfully deliver a data minimisation strategy, firms need cross-departmental engagement from key stakeholders. A cross-departmental team would likely consist of heads of departments or practice groups, the CIO, CISO, General Counsel, DPO and, of course, the Director of Information Governance. The committee is the reference point for all subsequent activity ensuring representation and buy-in from across the firm.
2 - Understanding your data
This means first making an inventory of all the locations and systems in which data is held, including less obvious locations like redundant servers or legacy applications that still hold data and haven’t been taken down. It includes ‘shadow IT’ in places outside the boundary of the firm’s sanctioned and provisioned IT infrastructure, such as work on lawyers’ personally owned devices or matter material exchanged using personal email addresses – possibly during the pandemic. And don’t overlook the firm’s other records residing in HR, finance, etc.
Once you know what data is held and where, you should conduct a data mapping exercise to categorise and classify it by document type, file type and data type. Does it contain personally identifiable information (PII), intellectual property or is it confidential and/or commercially sensitive? Data should also be classified in terms of practice group, department, office, or jurisdiction where these have a bearing on retention and disposition; and client engagement requirements (if any) around retention/disposition.
3 - The policy
A retention and disposition policy sets out the firm’s agreed guidelines for managing the lifecycle of information assets, including when they should be disposed of when no longer needed, and the responsibilities and roles involved in the authorisation process. It articulates the commitments the firm is making. It should create understanding, consensus, and momentum around information retention and disposition.
Note that firms can be exposed to potential investigation and liability if an agreed policy isn’t enforced or is selectively enforced. So, procedures and controls need to be part of the policy. The policy should be communicated to all employees, making sure everyone understands their obligations.
4 - Execute the policy
This should be straightforward because it’s a question of following everything that has been mandated. Notwithstanding, it can feel daunting at first because of the sheer volume of the material. Remember that the journey of a thousand miles begins with one step.
5 - Getting destruction decisions over the line
Reaching destruction decisions can be hard, but don’t lose sight of the objective of minimising the excess data held by the firm and reducing risk. Help the lawyers who are going to authorise data destruction by giving them all the information they need to reach a decision. This includes confirming that no fees are outstanding, and the date on which the firm’s criteria for a closed matter have been met. Then follow the preordained destruction procedure. This is where your key stakeholders in the committee will double up as champions, ensuring an awareness campaign is delivered or backed up by peers rather than from a central administrative team. Periodic policy reviews and adherence to the policy should also be looked into where there are pockets of non-adherence to the policy’s application.
Proceed iteratively
When we talk of five steps, it’s not necessary to complete them sequentially. Don’t destroy data until you have a policy in place, but otherwise don’t wait for one step to be completed before the next one starts. Do what you can when you can. But it’s also sensible to prioritise your areas of highest risk.
Finally, know that you don’t need to execute data retention and disposition unaided. Sophisticated software tools, such as iCompli, have been developed to help – for instance by automating how a data retention and disposition policy is systematically applied to mapped data. You should start talking to software vendors early in the process to minimise redundant effort and maximise the efficiency of your data retention and disposition project from day one.
This approach was explained in much greater detail during our ILTA Masterclass: Rome wasn’t built in a day, where we discussed the five steps that will help you conquer your firm’s data. To register for the on demand recording, click here.
Copyright © 2023 Legal IT Professionals. All Rights Reserved.