Destroying Barriers to Destruction

Published On December 04, 2018

Going through a downsizing exercise at home has heightened my awareness of how difficult it is to let go of items. So it didn’t come as much of a surprise that the 2015 and 2017 Cohasset/ARMA IG Benchmark reports saw virtually no decline in the number of organizations (76%) that maintain a “keep everything culture,” and don’t have a formal secure destruction plan. It appears as though, whether at home or in the office, a reluctance to part with our “things” is human nature.

But the question is: will the same remain true in the 2019 version of the report? While there’s a case to be made that more destruction is occurring because of new business demands, I’m not confident that much will have changed in the intervening two years since the last survey.

Whether records are physical or digital, there are more compelling reasons now than ever to be thoughtful about what to get rid of and when.

The enactment of privacy laws to protect personal information, such as the GDPR and the impending California Consumer Protection Act (“CCPA” in 2020), have made it necessary for organizations to change the default “as long as we’ve kept it long enough, we’ll just go ahead and keep it a while longer” state of mind or face the risks of reputational damage and fines for noncompliance. On the flip side, with organizations leaning heavily into the use of machine learning (ML) and artificial intelligence (AI) to derive value from their data (and records), there is pressure to retain content indefinitely.

So, just when there are significant triggers to destroy records when eligible, there are powerful and compelling reasons to keep them longer. To overcome this, various functions within an organization need to collaborate to agree on a reasonable equilibrium: to determine which content has value or potential value beyond its original purpose, remove personal information from it and destroy what remains. A CEO of a global tech company recently told me that it’s his mission to define the minimum amount of data his business requires for ML and AI in order to contain costs and reduce exposure of data to privacy and security risk.

Given the urgency to for organizations to establish more rigorous controls and practices around privacy (and privacy issues get the attention of senior leaders!) while dealing with the impact of digital transformation, the Iron Mountain Customer Advisory Board (CAB) has created a Practical Guide to Records and Information Management Destruction.

The Guide is a compilation of considerations and practices, based on the experiences of a subset of the CAB members, for the development of a consistent, repeatable process to destroy records that have met retention requirements and do not need to be held for legal purposes or data mining. It addresses common challenges, considerations and recommendations pertaining to the destruction of records in relation to compliant Information Lifecycle Management (ILM). The Guide also includes a number of relevant case studies.

The authors stress that ILM programs differ from organization to organization, therefore the decision to adopt a course of action must be taken in regards to your own situation. For that reason, the Guide does not discuss “defensible” destruction, as the interpretation of “defensible” is determined by your own organization’s policy, procedures and legal guidance, nor does it address the disposition of information (i.e., what to do with it at a given point in time).

Join the 24% of organizations with a destruction mindset and practice! Download the Guide at IRONMOUNTAIN.COM/CAB, along with previous practical Guides written by the CAB.