The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/411912
PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 48 often do not adequately address the ocean of electronically stored information. Although many of the categories on a traditional retention schedule relate to structured data systems, this poses two concerns: 1. A hard-copy-centric retention schedule that addresses "distinct physical objects" might not be portable to the structured data environment, where "distinct digital objects" do not neatly exist. 2. A vast amount of unstructured content is not included in traditional retention schedules. To address these concerns, the retention schedule should be expanded to include reference to both "records" and "information" that might not fit the description of an official company record, yet has business value and serves an administrative or operational purpose. After updating the retention schedule, the regulatory research that supports the time periods assigned to each record class should be refreshed to ensure they are comprehensive to all (including international) jurisdictions in which the organization operates. Besides reviewing retention time period requirements, research should include: • Storage Location: There might be requirements for information to be stored in a specific jurisdiction. • Data Transmission: Requirements might exist that restrict the transmission of data outside a specific jurisdiction. • Disposal Dates: There might be a stipulation that certain data are to be disposed of as soon as they have served their business purpose. Once an organization has a complete understanding of the information it retains and its related sensitivity and classification, appropriate protection tactics can be applied. Additional considerations of an effective privacy and security approach include: Privacy Policy: A comprehensive privacy policy includes both internal and external versions. Internal privacy policies should cover everything from employee handling of sensitive information to IT security controls and reporting breaches. External policies are customer-facing, and have both practical and marketing/ PR considerations. Global policies require additional attention due to the sometimes conflicting interests of various jurisdictions. Once the policy has been drafted and approved, a training program will help facilitate employee compliance, including that of senior executives, with policy requirements. Training should be refreshed at regular intervals. Further, consider strengthening language in employee agreements with more restrictive covenants regarding the use of company data — both during employment and after separating from the organization. Data Loss Prevention: Data loss prevention refers to a system designed to detect a potential data breach and to prevent it by monitoring, detecting and blocking sensitive data. Sensitive data might include private or company information, intellectual property, financial or patient information, credit card data and other information, depending on the business and industry. Data loss prevention software solutions can play an important role if an organization handles this sensitive data. Data Minimization: Data minimization refers to reducing the amount of sensitive data retained. Questions to ask that can help you identify when fewer data will suffice include: 1. Does the organization really need to keep the data? Some data are transitory and might be needed at the moment, but not for the long term. Information deemed transitory should not be stored or archived. 2. Would only a part of the data be as useful as the whole for the organization's purposes? For example, storing the last four digits of a Social FEATURES In addition to ensuring the records and information categories are thoroughly defined, additional fields of information to note include: The identification of an unstructured content storage location or repository, such as a network drive designation or a document management system The identification of a structured data system or application name Indication whether the repository or system is cloud-based or on-premise The security classification of the information, such as "company confidential" or "public" Whether the information contains personally identifiable or otherwise sensitive data Data flow information that might be important to know from a security perspective