Herding cats: Dealing with “just in case”
Trying to keep your retention schedules simple is an ongoing battle against the forces of complexity. And one of the major things that will hinder your plans to simplify your retention requirements will be your retention schedule stakeholders. People really do like to hold on to things. Sometimes legitimately, sometimes not so much.
In her latest blog, Siobhan King, Senior Consultant at Metataxis, reveals ways to ensure complex records management and retention requirements are accommodated.
Here’s part 5:
Growing up in New Zealand, a television favourite of mine was a local version of A Man and his Dog, which was named with typical kiwi literal-mindedness: The Dog Show.
When designing data retention schedules, I often think back to the steeliness of two dogs named Zip and Jess as they stared down particularly toey sheep to nudge them into their pens. Just like the pens on A Man and his Dog, you must gently, but firmly, guide your users towards the right retention management decisions.
The dreaded “just in case” argument
“Just in case” is the kind of phrase most records managers dread hearing from their stakeholders.
There are many perfectly legitimate reasons users give for wanting to hold on to records for a certain period of time. There may be a law or regulation that needs to be adhered to, rights that are protected, or business processes which require the records to be referred to at any point in time.
But then there are the more nebulous reasons people give for holding on to records – “just in case something happens, and I need them.” Just in case what? Well, it could be just about anything.
And herein lies the problem. With enough imagination, you can dream up any worst-case scenario where an obscure old record saves the day.
And what is even worse… is when there actually has been a freak occurrence where this exact situation has happened. Someone has managed to save your organisation a great deal of money or embarrassment with an email they’ve had stored in their mailbox for nine years.
Take a deep breath, hold your nerve and have some of these questions ready when talking to someone who presents you with a “just in case” argument:
- Check they understand triggers: Check that your stakeholders understand that information will not be disposed of before they are triggered. “Just in case” may arise from a misunderstanding of triggers and a fear that you’re going to delete records out from under people while they still have a legitimate need for them.
- Consider the personal data and data subject rights: Look at the personal data that is held in each record and whether you can reasonably argue that there is a legitimate business need that outweighs data subject rights? Remind people that your organisation does have to meet data protection requirements which does not accept “just in case” as a reason for retention.
- Measure the risk: Ask your stakeholders “what is the likelihood of the just in case scenario happening (again)?” and look at the “actual risk?” i.e. what does it cost the organisation?
As an example, I’ve had a stakeholder tell me that a record type had to be kept in order to prevent the organisation potentially incurring costs from a complaints process, However, it turned out that the actual total cost was just £24. What’s more, the likelihood of this risky event recurring was also very low. It had only happened once, and this was over six years ago. Ask how often, how likely, and how much it would cost to apply a risk management evaluation to your retention requirements.
- Get the full story on that “save the day” scenario: In the case where a record “saved the day” do not be afraid to probe (in a neutral way) to get some more information about the full scenario. It is quite possible you are not getting the full story. For example:
- Did the record in question only help because it was a proxy for something else that should have been retained but was too difficult to find in a time-critical situation?
- How long ago did this happen? Did it happen so long ago, things have moved on and it’s no longer relevant?
- Was the person telling you this story involved enough to understand what actually happened? Could it even be an urban legend?
Helping people find more appropriate retention rules
These are just some of the ways you can begin to unpick the requirement to keep data “just in case.”
Getting to the bottom of the underlying concerns that drive such a requirement can help you to guide your stakeholders to more appropriate retention rules.
It can often feel like herding cats, but with patience and understanding, it’s a rewarding result once it’s done. All that’s left to do is implement your retention rules. We’ll be looking at implementation in the final of this blog of this series next time.