CONTACT US
White Paper - Deleting Emails and Files Quickly and Defensibly
White Paper

Deleting Emails and Files Quickly and Defensibly

Emails and files are the lifeblood of an organization, but as with anything, there can be too much of a good thing. The persistent, ongoing accumulation of this electronic information spawns a new set of risks and challenges.

While deleting emails and files in a defensible manner can be difficult, a smart, real-world approach that combines policies, process and the appropriate use of technology can enable organizations to save the right information for the right length of time and make it more accessible, while at the same time deleting low-value, unneeded information and preventing its further accumulation.

Download
LEARN ABOUT CONTOURAL'S RELATED SERVICES

Key Takeaways

  • Too much information hurts. Over-retention drives up storage costs, risks privacy violations, and buries valuable records.
  • Old approaches fail. Manual deletion, mass purges, and one-size rules spark resistance and create defensibility issues.
  • Smart tools make it easier. Automated retention, drag-and-drop tagging, and “working folders” simplify compliance.
  • People matter most. Change management, training, and clear messaging turn deletion into a win, not a burden.

Deleting Emails and Files Quickly and Defensibly

Introduction

Emails and files are the lifeblood of an organization. These media serve as primary communication and decision-making tools, record decisions, facilitate processes, and allow employees to communicate. The average employee receives approximately 121 emails per day, and employees can create, modify, and view more than two dozen files per day. As employees increasingly work in hybrid offices and work-from-home environments and are not physically situated near one another, these modern communication tools have become even more important for ensuring the ongoing operations of a company.

However, emails and files can also become too much of a good thing. The persistent, ongoing accumulation of this electronic information spawns a new set of risks and challenges. The pain of over-accumulation may only become apparent during a large eDiscovery exercise or when companies seek to be compliant with privacy requirements. The potential negative impact can be counter-intuitive, such as when information accumulates to an extent that it actually lowers employee productivity and effectiveness. Companies are realizing that these are real risks creating real problems, and that this over-accumulation needs to be dealt with.

Deleting emails and files in a defensible manner can be difficult. Sorting through large volumes and determining what to save and not to save can be time consuming. Likewise, adopting large-scale deletion can quickly lead to pushback from employees and business units. Deletion exercises become overloaded with emotions, both from those trying to delete as well as from employees resisting the actions. Efforts to delete can also backfire and drive employees to avoid deletion by keep emails and files in unsanctioned storage areas. As frustration builds, many simply give up.

Don’t be among those who give up. There are proven strategies used by many organizations to tame their growing piles of accumulating emails and files. While there is no magic formula, a smart, real-world approach that combines policies, process, and the appropriate use of technology can be effective. This enables organizations to save the right information for the right length of time and make it more accessible, while at the same time deleting low-value, unneeded information and preventing its further accumulation.

Companies are doing this, and it works—and avoids getting into conflict with document-hoarding employees and business units. While these programs often begin with an attempt to drive compliance or reduce costs, many find a hidden win: cleaning up clutter helps employees work better, smarter, and more collaboratively.

The Downside of Saving Too Many Emails and Files

While email is an indispensable component of running most business and the use of files is a cornerstone of most organizations’ decision-making, there is a dark cloud to this silver lining of productivity. Over a period of months, years, and decades, this electronic information accumulates, creating a new set of costs, risks, and challenges.

Email and File Over-Retention Costs

While many companies still have large stores of paper documents, business is increasingly conducted through electronic media.

Data Storage Costs

Left unmanaged, e-mail and files tend to accumulate and consume data storage space. Traditionally, organizations attempted to address this by imposing mailbox “quotas” for email and storage quotas on centralized file servers, limiting the amount of e-mail or files any single user can store in the server.

Within a typical e-mail server, the messages—headers, dates and message text—only consume 4% of storage space. Attachments to e-mails take up the remaining 96%. Most organizations have migrated, or are migrating, their email and file storage to cloud-based systems. These systems tend to include a per-user storage quota, but when this quota is exceeded (often only after a few years) the organization pays additional fees for the increased space.

Over-Retention Hinders Privacy Compliance

A number of global privacy rules mandate the identification, control, and deletion of personal information. These rules strictly limit how long personal information can be retained. Many companies focus their privacy compliance efforts on applications and structured data in database systems, with little focus on the over-retention of emails and their attached files.

Nevertheless, emails and files can and do contain, in the aggregate, a significant amount of personal information. Email can include employees’ or customers’ personal information. Files can contain extracts from databases that contain significant amount of personal information. Privacy rules apply equally to emails, files, and structured data applications. Just because an email may be harder to search for or delete does not relieve a company of the responsibility of applying the appropriate rules.

The Hidden Cost of Hoarding: Impact on Employee Productivity and Collaboration

There is a final pain point with over-retention: employee productivity. A certain percentage of emails and files has business value, and these should be retained for future access. However, over-retention makes searching for and identifying this business value difficult. The small percentage of higher-value information quickly gets lost in the clutter of over-retention.
New employees will re-create existing documents either because they don’t know someone else already wrote it or they can’t find it. Employees will update or edit the wrong version of a document. These issues are not always caused by over-retention (for example, an employee retires and although his old files are stored somewhere, his successor does not have access to that information, making it effectively lost), over-retention can be a leading cause. There are powerful, real inhibitors driven by over-retention that decrease employee productivity and collaboration.

Defensibly Deleting Emails and Files is Hard

Deleting emails and files is the kind of initiative that looks easy at the outset but can quickly become difficult.

Many Layers of Buried Information

Emails and files are retained. Month after month, and year after year, they accumulate, creating digital layers called information horizons. These information horizons contain a little bit of everything: records, non-records, copies containing high-value information, no-value information, personal information, intellectual property, and even documents subject to legal hold. What makes deletion efforts hard is that often this information is mixed together. Sorting out what needs to be saved requires a type of “digital excavation” in which an information archeologist must sort through what is important, versus what is the information equivalent of “dirt” that can be discarded.

Employee Hoarding

Perhaps the biggest challenge to deleting emails and files are employees themselves. Most employees hoard their electronic information. They save years’ worth of information on their desktop or laptop, or on file shares or cloud storage sites such as Microsoft’s OneDrive.

This “save everything forever” approach is motivated by three separate drivers.

First, employees think that this information has business value and may be useful to themselves or others sometime in the future. This is true: some emails and files do have business value and can and should be saved for a period of time. However, just because some information has future value, that certainly does not mean that all information has future value.

Next, some employees mistakenly believe that they are the custodian of a record or records, and as such this information must be saved. Employees tend to greatly overestimate the “this has to be saved and it’s my job to save it” factor.

Third, some employees have defensive motivations for keeping documents, to be able to prove, if asked in the future, that they did or did not do something. The “I’d better save this to show I did/did not do something” retention thinking is driven by a “just in case” mentality.

The above three reasons often combine to drive habitual retention. For many people, it is easier to save everything than to parse through the above reasons as to why something should be saved.

Discussing deletion can quickly lead to emotional pushback. Employees become fearful of the company deleting “my stuff” that “I need to do my job.” Unaddressed, this powerful employee resistance can slow or even stop corporate-wide deletion initiatives in their tracks.

Everybody’s Job and Nobody’s Job

The final challenge is organizational responsibility. Most companies have traditional records, eDiscovery, privacy, and information security programs, but none of these programs are necessarily responsible for email and file deletion. Worse, standalone compliance programs can, and increasingly do, conflict with one another. Unless coordinated and integrated, conflicting programs can thwart effective deletion efforts. For example:

  • Records management that involves minimal data retention can conflict with European and US privacy requirements for time limits on retention of privacy information.
  • Legal hold preservation obligations can be undermined by records retention processes that require ongoing deletion.
  • Intellectual property management may be undermined by data cleanup projects that inadvertently delete files and emails documenting the organic development of IP.
  • IT outsourcing of data storage to cloud providers may run afoul of country-specific data residency regulations.

The failure to coordinate standalone programs with other compliance requirements can grind work to a halt.

Email and File Deletion Strategies that Don’t Work

While started with good intentions, there are some approaches that companies have tried over the years that do not work. Many of the same mistakes are made across different companies.

Employee Manual Processes Don’t Work

When most records were either created or received in paper, records management and disposition processes were inherently manual. Today, however, the vast majority of records are created or received in digital format. Unfortunately, some companies persist in creating detailed, time-consuming manual processes for managing records. This may include looking up the retention period, labeling an email or file under this retention period, moving it to a folder or repository, or even entering metadata about the document.

The problem is that these paper-centric processes do not scale. The sheer volume of emails and files any given employee receives means applying these processes is time consuming, potentially taking hours per week in aggregate. Most employees will not follow them, or they will follow them initially but soon stop using them.

The other risk around manual processes is that they are less defensible. The argument made by opponents in litigation is that when employees are doing their own manual deletion, it is difficult for them to be faithful to and consistent with the records retention schedule. The opponents argue that given discretion, employees tend to delete what they consider the “bad stuff” (documents and other information they believe to be inculpatory) and only save the “good stuff” (documents or files they believe will be helpful in the event of litigation or regulatory inquiry). This puts companies on the defensive early on, in the position of trying to prove a negative regarding something that they do not do (and may never have).

Aggressive Deletion Doesn’t Work

When companies start an “aggressive” email deletion process, employees often react with a counter-behavior of “underground archiving.” In a bid to save their emails from deletion, employees save emails on desktops, laptops, centralized file servers, USB drives, and other unauthorized areas. Companies respond by shutting down the ability to use USB drives (generally a good practice).

In an information retention and disposition arms race, employees start forwarding emails and send files, or other information they believe they need, to their personal email accounts. Some employees have been known to create Gmail accounts solely for this purpose. Companies then try to tighten down on outbound emails, but employees find another way and the arms race continues. Aggressive deletion strategies not only do not work, but they also tend to drive the saving of emails and files into unauthorized, unsecure, and hard-to-access areas, increasing the risks and costs of over-retention.

Monolithic Retention and Deletion Doesn’t Work

Another approach to deleting emails and files is to define a monolithic retention period of, say, three years, and delete all electronic information older than that. It is true that much of this older information is either an expired record, low-value business information, or a copy of information saved elsewhere. Nevertheless, some of this older information cannot be defensibly deleted as it contains:

  • Active records that need to be retained longer than the monolithic, three-year period example (see box below on email).
  • Files or emails that contain business value, including intellectual property, business processes, or reference information.
  • Files or emails that may be subject to a legal hold.

Again, much of the older electronic information can and should be deleted. Yet using one-size-fits- all monolithic retention periods is likely to result in the deletion of information that should be saved.

There is one area today, however, where autoclassification is being used successfully. It can do a fairly good job identifying certain types of specific information, such as personally identifiable information (PII) and protected health information (PHI) for privacy, or searching through a series of contracts looking for a particular term.

While these true autoclassification systems are not quite ready for identifying all record types, they can do an adequate job of identifying non-record, low-value information that should be deleted. Sometimes cleaning up redundant, obsolete, or trivial data (ROT) can go a long way toward reducing costs and risks.

Deletion Strategies That Do Work

It can be argued that saving files, emails, and other types of electronic content is the easy part. The real test for an effective records program is how consistently it can dispose of expired, duplicative, low-value content. Equally important is disposing of information in a compliant manner that will not be challenged in the future (either during litigation or by a regulator). While developing and executing successful disposition programs can be challenging, there are strategies that do work.

Implement the Five Second Rule with Drag and Drop

Traditional records management classification and storage processes and procedures require employees to take time-consuming steps. While these manual steps may only take 60 seconds, this minute—multiplied against the hundreds of records employees may receive or create each week—potentially equals many hours of records management burden per week.
Instead, successful deletion starts with the “five second rule,” which states that employees will spend at most five seconds looking up a retention period, manually classifying an email for file, moving the email or files to a repository, and applying any labels. If the manual records classification and management process takes longer, even well-meaning employees will soon start ignoring the process.

Most modern content management systems such as Microsoft 365, OpenText, and others provide the ability to automatically apply metadata tagging (also referred to as labeling) based on where a record is stored. In other words, these systems allow a type of “drag and drop” tagging: Under this method, when employees drag and drop a file or email into a folder or specific location, the system automatically tags it.

This “drag and drop” classification strategy requires more upfront work. The records management or information governance team needs to configure the managed folders or other repositories with the applicable records retention, data security, and access rules. Ideally, a complete information governance framework—retention, security, and access—should be configured.

When It’s Time to Delete a Record, Let Systems Do It Automatically

It is very difficult to get employees to manually delete older emails and files. A better strategy is to get content management systems to delete information automatically. This removes the employee from the disposition process and instead leverages technology to dispose of records when the retention period expires.

Delete Emails and Files When You Move to the Cloud

Many companies are moving from on-premise email and file storage to cloud-based systems. This switch to cloud-based systems is an excellent opportunity to clean up old emails and files. First, identify all the information to be migrated. Do not necessarily assume that everything stored on the old system should be moved to the new systems.

Next, instead of simply dumping straight from the old file system into the cloud storage, set up the appropriate folders that are configured with the appropriate retention period. Once everything is set up, move the selected older content into its new location.

Doing this type of “smart migration” does require some pre-planning and configuration ahead of time. Avoid the temptation to simply throw everything up into the cloud and plan on sorting it out later. The benefit of thinking this through is two-fold: first, it can clean up and greatly reduce the number of emails and files. Second, by configuring the cloud system with appropriate retention, there will be much less accumulation of information moving forward.

Create a Working Documents Area

Employees feel compelled to save everything. Instead of trying to fight this tendency, give them a safe, manageable place to save content. Within your Microsoft 365 or other content management system, provide a “working documents” folder. A working documents folder is a “personal file” area that allows employees to save any document for short- to medium-term retention. Allow employees to save whatever they want in these folders, for whatever reason.

Because they have been provided with a viable place to save any type of information in the working documents folder, prohibit them from saving unneeded information on desktops, file shares, and other unmanaged and uncontrolled places. Explain to employees that you are not stopping them from saving what they need, but rather asking that they save it in the right place.

A working documents folder does not, however, enable employees to retain their files and emails forever. Set the retention for these folders anywhere from one to two years. Then let the system dispose of the information when it expires. The key is that while employees can save whatever content they want, working document folders exist in a controlled and secure environment, with disposition automatically enforced. Microsoft 365 and other repositories are terrific at saving information. They are even better at deleting it.

Implement Employee Behavior Change Management

Creating policies and configuring technology are key steps to getting rid of old emails and files. However, the most important step is often overlooked: employee behavior change management.

Behavior change management is a combination of messaging, communication strategies, training, and audit. Designed to drive users toward a target behavior set and to measure progress in achieving compliance, these activities are also beneficial for providing formal, consistent communications to employees and executive sponsors during implementation.

The goals of behavior change management include:

  • Drive User Adoption: Drives program adoption by business units and employees.
  • Communicate Messages that Resonate: Identifies key messages likely to resonate with employees.
  • Sell Program as a Win: Messages program as a win for all employees, not a compliance burden.
  • Test Consistency: Ensures messages and trainings are effective for all groups across the organization.
  • Demonstrate Compliance: Demonstrates compliance with requirements and the company’s intent to follow policies.

To ensure successful change, it is key to identify which audiences need to be addressed, what platforms are available to deliver the training to the right audience, and what messaging needs to be developed.

Conclusion

Perhaps the biggest barrier to deleting files and emails is fear. Fear that employees will not put all the information in the right place. Fear that some of it will be misclassified or that retention will not be properly applied. Fear that records under legal hold will be deleted. Fear that records will be deleted before their expiration date.

Information governance is an inherently imperfect process. Fortunately, the courts and regulators do not expect perfection. Rather, they expect reasonable, good-faith efforts.

In your policies, declare what will be done. Execute those policies with processes, technology, and training. Demonstrate that policies are being complied with through metrics and audits. Show that a plan has been developed. Show that the plan is being executed. Audit the results and remediate any shortfalls. Not perfect? That’s fine; no one expects it to be perfect. Start with good and keep moving forward.

BACK TO ALL RESOURCES
LEARN ABOUT CONTOURAL'S RELATED SERVICES

Join us for our March webinar, "Using M365 to Create a Personal Data Inventory."

REGISTER