Policy based or keep everything?

Policy based or keep everything? Well, I have been working on this for several years and have come to the conclusion that all the issues boil down to a single one – what should you do with e-mail? And I think that you have just 3 choices: Delete it all, Keep some, or Keep it all. If I were to do a straw poll of what people THINK they would like to do with e-mail most say ‘keep some’, by the end of this blog you may change your mind.Let’s take ‘Delete it all’ first: Email is sent between two parties, so there’s always two copies. If you delete yours, but the other party keeps theirs then you’ve got a real problem – so it’s probably not a great idea. How would your users feel if you deleted all of their email after a month, there is invaluable knowledge within your email system?

Are you in a regulated industry? Even if you are not, there are still regulatory requirements. For example, company financials need to be retained for 6 years and in some instances for 21 years plus. So you probably don’t have the option to delete all e-mail, unless you want to expose the organisation to huge risk and liability.

What about ‘Keep some’? Sounds fine in principle but it does suggest a sorting process. There are only two ways of sorting anything - Manually or Automatically.

Let’s start with manually? Who’s going to do it? Probably your users themselves – so lets see how that works lets imagine I work for a financial organisation, I have a range of different retention boxes, a 13 year box, 12 year, 7 years, 6 years and stuff I can get rid off straight away. I am fairly typical, I receive 30 emails a day, send about the same, I need to sort those emails into the right boxes. Policy based storage is it going to work, probably not, will I make mistakes of course.

What about the cost of that process, well £8 per day, if I work 200 days a year, that comes to £1600 in productivity cost per person.

Manual sorting is expensive, needs user training, users hate doing it, doesn’t work and is therefore not compliant.

What about automatic sorting sounds great. My organisation has lots of experience with document management systems such as Documentum and PC Docs, great for sorting structured documents, this is a purchase order, this is an invoice, this is a business letter. But the big problem with email is that it is an unstructured document.

How would it sort this email. Hi Bill, good to see you last week. I hope Eileen's got over that kidney infection and she's out of hospital. I've attached the report on that customer steering column failure. I don't think it's too much to worry about, but we should get the team together and talk about it. Let me take you to lunch next week - my treat!.

So how would you sort that email? That email contains personal data, “SENSITIVE personal data” because it is medical, it contains product liability DATA which needs to be kept for ten years after the last one comes of the production line. How would you sort that email, anyone? Automatically? What about Manually? Don’t listen to people who tell you can sort email. You can’t.

Email is special, and brings special problems. The major problem in compliance terms is that there is no method that allows accurate sorting – no method or product can possibly guarantee compliance.

You will realise by now that the only solution I think works is ‘keep everything’. So let’s look again at that financial institution with different retention periods – simply select the longest mandated period, say thirteen years, and keep everything for that time – then you KNOW you’re complying with all the laws and regulations. Best of all, you don’t have to train your users, or trust them to put the right things in the right boxes. Automatic full compliance, just pick a single retention period its simple as that.Around this point I tend to find there’s always just two objections. The first is ‘is it legal?’ – absolutely you as a company can keep every single email for as you decide is appropriate and we will be talking later how you select that period.

The second objection is ‘that’s very expensive in storage’. The cost of storing the average person’s email in Cryoserver starts at £1 pound per user – per YEAR. So that’s rather less than the £1600 per year cost of having your users sort it.

So you CAN keep everything and at the same time comply with data protection legislation. But don’t forget the three golden principles that trip most people up: ‘Protect the data. Protect access to the data. Audit any access’.

In conclusion it is a no brainer, keep everything is the right thing to do!

Why are some companies in the world not buying archiving solutions?

Why are some companies in the world not buying archiving solutions? Most common reason is cost is prohibitive! Do they not know that top legal experts in the field of email compliance have been recommending organisations cannot be using costs or no budget as an excuse. I recently heard David Ferris, from Ferris Research (www.ferris.com) state that he feels that the cost of storage is ever decreasing and today it is pertinent to keep everything as there maybe a record that you may require in years to come, which could save you and your organisation in a matter. I share these same views. Using the cost of storage can no longer be used as an excuse in my book.

Today there are many pieces of legislations encouraging us to retain records; in the world there are ten's of thousands of them. They include in the U.S. tax records – 7 years, SOX – 7 years, and elsewhere there are Marketing in Financial Instruments Directive (MiFID) – E.U and Pharma/Healthcare regulations. Majority of the records that need to be kept are likely to be found in the email system, and furthermore there is also a lot of knowledge residing in the email system which may be useful at a later date by the organisation. I am finding many of our clients are keeping records for around 84 months (7 years), based on some key financial & tax regulations. Organisations need to wake up to their responsibilities; IT departments need to involve and talk with senior management that not archiving email is potentially opening the organisation to risk or even in some serious matters a criminal offence. And if you don’t do anything, who gets locked up? Is it the CEO, Company Secretary, who has the responsibility of handling the court order when it is issued? Maybe many IT managers have it in for CEO's, Company Secretaries and want them to go to jail! I hope not.