By Joe Fenner
My previous post covered some key considerations that organizations need to evaluate in defining their approach for email archiving, as they move their core email platforms from on-premises environments to cloud-based solutions such as Exchange Online. This post covers the policy and change management aspects of these transitions.
Focus on the Policy
Regardless of the archiving option chosen, a best practice is to take the email system migration as an opportunity to review existing email retention policies – and the archives themselves – to identify content that can be purged. If you have 50 or 100 TB of old email archives, why undergo the expense and pain of migrating all of it, if you really need to retain less than half of it?
But will your policy actually allow you to delete aged email, and how much? In too many cases, we encounter clients whose email policies actually hamstring their efforts to defensibly purge expired content.
For example, some firms’ email policies call for open-ended, indefinite retention of email, even if there are no compliance requirements for indefinite retention. Others have policies that dictate a 7-year retention – even if business processes are such that official records are never stored in the email system, and even if business users have proven they never go back more than 18 months in the email archives. For those organizations that do have disposition policies, few have actually implemented processes to execute on them. In all of these cases, the result is significant over-retention of email.
So how can you defensibly purge archived email? Content analytics tools can play a role here in helping identify content that is eligible for disposition, but they can be expensive and time-consuming to configure. In our experience, a best practice is to start with your email policy: Simplify it to specify as little retention as possible, and then back it up by putting business practices in place to ensure that official business records are stored in appropriate systems of record, not in email or in email archives.
So when you do purge, it’s under the assumption that nothing that should be retained is in danger of being purged because the business process accounted for it. If the processes are well defined and tracked, you can demonstrate that you are fulfilling your policy. (For more on policies, procedures, and guidelines, see Richard Medina’s post: Information Governance Policies, Procedures, and Guidelines.
Executing on the Policy
What the policy says is one thing; getting agreement to execute on disposition (both one-time and day-forward) is another matter. This typically requires the participation of multiple groups in an organization: Legal, Records and Information Management (RIM), Compliance, IT, and the lines of business themselves – the same groups that likely got involved in refining your policy.
Each of these groups will have different viewpoints and perspectives which may need to be resolved. The business may want to retain content that could theoretically have importance even years in the future. Compliance will want to dispose of anything that is not clearly and explicitly required for retention. IT will, too, so they can reduce storage and slow the growth of a potentially end-of-life archive. But Legal may want to err on the side of retention because of questions about which content is under legal hold, even if they understand the risks of over-retaining potentially discoverable information.
So don’t underestimate the time investment needed to bring all parties around to a new way of thinking about how much email you’ll retain, for how long, and how you’ll regularly dispose of it.
Likewise, with your users, you’ll need to communicate the changes with them well in advance and continue to work with them as they get used to the new rules. If you’re changing the way they work, or what they’ll have access to, you need to give them some time to understand the implications and even to move content to appropriate systems before it is purged.
This is where a strong RIM program can help in working directly with business units to communicate the policy and email archiving process. The RIM program can also work with business units to refine their operational processes as needed, to ensure that the business stores content in appropriate systems, so users don’t rely on email as a record repository and don’t have to spend a lot of time making their own decisions about which email is sufficiently valuable to keep versus delete.