The document discusses the importance of effective data retention policies and information governance in organizations, highlighting challenges such as unstructured data, compliance risks, and data privacy issues. It emphasizes the need for a clear governance framework, comprehensive data assessment, and the elimination of unnecessary data to improve operational efficiency and regulatory compliance. The presentation also introduces foundational components for defensibility and offers practical steps to align legal requirements with content management strategies.

1. Underwri(en by: Presented by:
#AIIM Informa(on Is Your Most Important Asset.
Learn the Skills to Manage It.
Developing a Successful
Data Reten(on Policy
Presented March 22, 2017
Developing a Successful
Data Reten(on Policy
An AIIM Webinar Presented March 22, 2017

2. Underwri(en by: Presented by:
Craig Shogren
Manager,
Informa-on Governance
HBR Consul(ng
Rich Lauwers
Informa-on Governance
HPE
Kelly Huckman, JD
Consultant
Iron Mountain
Today’s Speakers

3. Underwri(en by: Presented by:
Craig Shogren
Manager,
Informa(on Governance
HBR Consul(ng
Introducing our Featured Speaker

4. Underwri(en by: Presented by:
We’re pretty sure we are not providing all
responsive data, since we don’t know what
we don’t know!
We really don’t even know what we have, let alone where it is!
There is probably a lot of PII on our shared drives that we really need to purge.
Could be devastating if we are ever breached.
Our workforce is so mobile, we know our employees are saving stuff to unsanctioned cloud
storage. This ‘shadow IT’ will sabotage our efforts at comprehensive disposition.
I only have 24 hours to respond to a
regulatory request, yet it will take me 4 times
that amount of time to sift through all the
garbage.

5. Underwri(en by: Presented by:

6. Underwri(en by: Presented by:
Why Do We Care?
§ Compliance
§ Discovery Risk and Cost
§ Privacy
§ Efficiency
§ Storage Savings
§ Customer Service
§ Knowledge Management / IP

7. Underwri(en by: Presented by:
The Path Forward Is Clear
• Define Governance Requirements
• Know Where Everything Is
• Eliminate Unnecessary Data (ROT)
• Unbury Treasures

8. Underwri(en by: Presented by:
Organizational silos obstruct
comprehensive approach
…But LiTered with Obstacles
!
! No internal sponsor / champion
! Lack of budget & resources
!
Communication gaps
between
Legal, IT and the
business
!
“Software-as-Savior”
turns into
“Software-as-Shelfware”
!
Don’t know where
the data is or what it
contains
! Change management?
! Bleeding out

9. Underwri(en by: Presented by:
Define What Governs Your Informa(on
§ RetenVon and disposiVon requirements
§ Privacy and security requirements
§ FRCP requirements (legal holds, etc.)
§ Intellectual property consideraVons
§ ISO standards
§ Business requirements

10. Underwri(en by: Presented by:
Founda(onal Components for Defensibility
§ IG / RIM Policy
§ Purpose, scope, objecVves, accountabiliVes, responsibiliVes,
standards and definiVons
§ Records RetenVon Schedule
§ Updated regulatory research
§ AcVonable, understandable
§ Comprehensive
§ Records, but what about everything else?

11. Underwri(en by: Presented by:
Founda(onal Components for Defensibility
§ Privacy
§ PII / PHI / PCI handling requirements
§ RetenVon limitaVons
§ Cross border consideraVons
§ Privacy Shield
§ GDPR

12. Underwri(en by: Presented by:
Founda(onal Components for Defensibility
§ InformaVon Security
§ Data ClassificaVon Standard
§ Data Mapping / Data Flows
§ Technologies
§ End-Point DetecVon, DLP, Access Controls, Virus DetecVon, Big Data
Security AnalyVcs, Containment / IsolaVon Tools, Security TesVng,
etc.
§ BYOD Policies

13. Underwri(en by: Presented by:
Founda(onal Components for Defensibility
§ LiVgaVon Readiness
§ Legal Hold Policy / Procedure
§ eDiscovery Tools and Technologies
§ LiVgaVon Profile
§ Intellectual Property
§ Training (Change Management)
§ “But, we’ve always done it that way!”

14. Underwri(en by: Presented by:
The Path Forward Is Clear
• Define Governance Requirements
• Know Where Everything Is
• Eliminate Unnecessary Data
• Unbury Treasure

15. Underwri(en by: Presented by:
Preliminary Steps
§ IdenVfy and assess locaVons / repositories of
unstructured content
§ CollaboraVon sites, shared drives, personal drives,
document management systems, content management
system, email, physical etc.)
§ FuncVonal requirements of content / records
management system
§ IdenVfy “content placement strategy”
§ Is there clarity on how the retenVon schedule applies to
electronic data?
§ Determine content assessment methodology

16. Underwri(en by: Presented by:
Content Assessment
§ Manual
§ User-Dependent
§ Technology-Enabled
§ IT Tools
§ eDiscovery Technology
§ File Analysis Soeware
§ Content
§ Metadata

17. Underwri(en by: Presented by:
What is File Analysis?
Two Primary Levels of Analysis
§ File System Metadata
§ Includes informaVon about individual files
§ Examples include contextual metadata about associated servers, volumes, shares,
folders, and idenVty related informaVon such as company / department / group / user
permissions and ownership; as well as file specific metadata such as file owner, last
author, author, file extension / item type, and create, last modified, and last accessed
dates
§ File Content
§ Includes informaVon within individual files
§ Represents a much more granular level of detail, and subsequently a larger data
footprint and supporVng set of infrastructure requirements
§ Repositories
§ Email, File Shares, ERM / EDM / ECM Systems, SharePoint, File sync and share sites
such as Box.net or Dropbox, Data Archives, Business Intelligence (BI) / Data Warehouse
Environments

18. Underwri(en by: Presented by:
Representa(ve Vendors
Primary Use Cases Supported by 2016 List Vendors
• AcVve NavigaVon
• Adlib Soeware
• BeyondRecogniVon
• Bloomberg
• Controle
• Cryptzone
• Druva
• Exterro
• SailPoint
• Titus
• HPE
• IBM
• ZL Technologies
• Capax Discovery
• Data Global
• Egnyte
• Index Engines
• Spirion
• STEALTHbits
• Varonis
• Veritas
Source: Gartner: Market Guide for File Analysis Soeware (19 September 2016)
Gartner’s Note: Though most vendors support some elements of each use case, vendors are listed in
the above diagram according to the major use case supported and what customers acquire the soluVon
for.
Governance/Policy
Management
Risk MiVgaVon
AnalyVcs
Efficiency/
OpVmizaVon
• Kazoup
• Condrey
• Haystac

19. Underwri(en by: Presented by:
Demerger Example

20. Underwri(en by: Presented by:
Thank You!
Craig Shogren
Manager
HBR ConsulVng
cshogren@hbrconsulVng.com
312-638-5130

21. Underwri(en by: Presented by:
Rich Lauwers
InformaVon Governance
Subject Ma(er Expert
HPE
Kelly Huckman, JD
Consultant
Iron Mountain
Introducing our Speakers

22. Underwri(en by: Presented by:
How Do We BeTer Connect Legal Regula(ons and
Opera(onal Requirements to Our Content?
The first and last mile of retention
The First Mile:
Retention
Considerations
The Last Mile:
Policy Execution
Government
regulations
Industry specific
regulations
IT Operations
Business Needs
Email
Cloud
Desktop
Physical
Content
SAP
Structured
Repositories
Unstructured
repositories
File Shares
Auto
collection
of laws
Translate to
retention
rules
Centralized
policy
Apply at
scale
Audit logs
Connect

23. Underwri(en by: Presented by:
Why Has Connec(ng the First and Last Mile of
Reten(on Been So Difficult?
Policy is not digitally connected to content
Appeared complex, time consuming, costly & hard to
maintain
Origins of Records Management were paper not IT
Demand was for commercial off-the-shelf solutions
A lack of standards

24. Underwri(en by: Presented by:
GDPR Enacted to Help Protect EU Ci(zen Data
from Risk

25. Underwri(en by: Presented by:
What Challenges Does GDPR Create?
§ Understand of the scope of PII
§ IdenVfy PII, determine format locate it within IT real estate
§ Isolate and classify PII
§ Appreciate the retenVon Vmes for personal data and contact informaVon
§ Obtain and retain explicit consent of data subjects
§ Limit access of PII based upon scope of consent
§ Facilitate the “right to erasure” of personal data

26. Underwri(en by: Presented by:
Create a Data Map
• Map both PII and Non-PII data
sources
• Establish relaVonships b/w data
sources/owners with relevant
Record Classes
• Represent processing purposes
consented to by data subjects
• IdenVfy PII locaVons, create an
e-discovery data map, and
inform a coherent e-comms
policy in a single project

27. Underwri(en by: Presented by:
Retention Schedule,
Organization Structure,
Data Maps, etc.
Enterprise Content
Management
Physical Content
Email
Unstructured
repositories
SAP
Structured
repositories
File Shares
Cloud
Digitally Connect Policy to Content

28. Underwri(en by: Presented by:
Mapping
Report Compliance
Get Consent
Find Govern Classify
Manage Data In Scope (Personal Data) Secure Personal Data
Security
Records Repository
Informa(on Management & Governance
Data Repositories • Data Security
• Applica(on Security
• Security Intelligence (Breach
Detec(on)

29. Underwri(en by: Presented by:
Complete GDPR Plaborm
Analyse
Record
Repository
Classify
Data Repositories
Messaging
Email Files Read
SharePoint
Ac(on
ApplicaVons
Data
Warehouses
Document
Management
Data Archive Social
Media
Web
Content
Apply
Store
Eligible Records
Declare
Data
Encryp(on
Find Govern
Apply Reten(on
Rules
Compliance, Legal
Hold & Audit

30. Underwri(en by: Presented by:
Methodology
• Survey and
confirm
• Index metadata
and content of
documents
• Extract named
entities (SSN,
emails,
phones…)
• « ROT »
analysis
• « Technical »
analysis (size,
type, age…)
• Redundant
• Obsolete
• Trivial
• Creation of
Categories
based on
entities,
metadata and/or
content
• Apply tags
• Move
• Secure
• Archive
• Review

31. Underwri(en by: Presented by:
Content Manager Component Overview
Ingested Policy Center data stays
in Content Manager
• Retention laws, jurisdictions and
vertical industry information is
mapped
• Policy Center is polled for updates
• Updates are ingested and managed
permanently
Content Manager is licensed
perpetually
• All components remain active
• Annual support renewal
• Connector that
extracts and ingests
Retention
Requirements into
Electronic Content
Manager
• Mapping of data
• Classifications
• Retention schedules
HPE CM
Policy Center
Connector
• Trained on existing
content or BCS
• Holding node prior to
classification
• Automatic folder
creation
• Linked security &
retention
HPE CM Auto-
Classification
Module
• Information lifecycle
management
• Governance-based
ECM
• Access defined by
authorized seats
• Perpetual license +
annual maintenance
HPE Content
Manager
(ECM +
Retention)

32. Underwri(en by: Presented by:
Take a look at what HPE has to offer www.hpe.com/soeware/scm
HPE GDPR self assessment h(p://gdprcomplianceassessment.com

33. Underwri(en by: Presented by:
Thank You!
Kelly Huckman, JD
Consultant
Iron Mountain
kelly.huckman@ironmountain.com
512-653-4668
Rich Lauwers
InformaVon Management Subject
Ma(er Expert
HPE
Rich.Lauwers@hpe.com
847.232.3566 CST, Chicago

34. Underwri(en by: Presented by:
QUESTIONS?

35. You’ve just
a(ended an
AIIM Webinar.
What now?
Take your skills to the next
level by learning how to
map, design, capture, and
automate operaVonal
processes using a
combinaVon of strategies,
and technologies with
AIIM’s Training Courses
www.aiim.org/training

36. Underwri(en by: Presented by:
AIIM is the Community for
Informa(on Professionals
AIIM believes that informa(on is
your most important asset.
Learn the skills to manage it.
Our mission is to improve organizaVonal
performance by empowering a
community of leaders commi(ed to
informaVon-driven innovaVon.
Learn more at www.aiim.org