The retention dimension

Why do law firms need a data retention policy? Because it’s a major part of good governance and business resilience. More specifically, it’s about doing the right thing for firms’ clients and not exposing the firm to increased risk of cyberattacks or being sued. Add to these considerations the negative impact to the firm’s bottom line: potential fines, increased insurance premiums and the cost of additional data storage all add up!

Big-ticket items

We know that cyberattacks on law firms are rising as their reliance on technology grows, and the increase in remote working has exacerbated the threat of cybercrime. According to PwC’s Law Firms’ Survey 2021, of the UK’s top-100 law firms, 90 are ‘extremely’ or ‘somewhat’ concerned about the impact of cyberattacks, making it the top threat identified by firms to their future growth ambitions.

In relation to retention, as firms transition their records into electronic formats as part of their digital transformation journey, they’re simultaneously increasing the ‘surface area’ that cybercriminals can attack.

According to PwC’s Law Firms’ Survey 2021, of the UK’s top-100 law firms, 90 are ‘extremely’ or ‘somewhat’ concerned about the impact of cyberattacks, making it the top threat identified by firms to their future growth ambitions

Additionally, firms should by now be fully aware of their potential compliance exposures in relation to the UK’s Data Protection Act 2018. This requires personal data to be kept in a form that permits the identification of data subjects “for no longer than is necessary for the purposes for which the personal data is processed”. Firms can be fined if they hold onto data for an unnecessarily long time, and fines in turn can bring reputational damage.

Building a robust retention policy

What a robust data retention policy looks like will vary from firm to firm but, broadly, it will state the firm’s rules on data retention and disposition and be supported by processes, workflows and procedures. Most critically of all, it should include a retention schedule. The firm’s data retention policy also needs to be reasonable and legal: for example, a policy mandating the destruction of client complaints immediately upon receipt would probably not pass any court-mandated ‘reasonability’ test.

At the same time, the retention schedule should sit at the heart of a firm’s data retention policy. This living document first identifies all the data the firm has – a daunting task since data is likely to be widely dispersed across different systems, media and timeframes. Each record then needs to be assigned a trigger date – the date on which action is taken on the record. For matter material, trigger dates will be determined by jurisdiction and are generally seven or 10 years after the matter was closed (20 in the Netherlands).

The firm also needs to be clear about what it means by ‘closed’ – some matters never close, so setting trigger dates from the time that billing activity ceases might work. That said, some documents will need to be kept for longer – specifically wills, property deeds and contracts with a ‘wet’ (ink) signature.

The retention schedule should sit at the heart of a firm’s data retention policy. This living document first identifies all the data the firm has – a daunting task since data is likely to be widely dispersed across different systems, media and timeframes

There’s also the inconvenience that data needs to be assessed to ensure it has no historical or intrinsic value, and that there’s no likelihood the material should be kept in case of some future action or litigation against the firm. Finally, firms need to ensure that the retention and disposition schedule doesn’t contravene anything in either the client engagement letter or in their outside counsel guidelines.

Enforcement

The final and most critical component of the firm’s retention policy is that it must be scrupulously enforced – this is where workflows, processes and procedures come in. Remember that the aim of the game is to get rid of material – whether by returning to the client or destruction. But this can be hard, especially at the start of a new initiative when the largest volumes of data are being processed.

It’s at this point that firms will be well advised to source software that can take some of the strain, organise complexities and automate some processes. For instance, software can bring all the firm’s data sources together using an engine that applies the firm’s retention policies as they apply to different clients and matters in specific practice areas – after that, workflow processes can be applied.

Software can also present all the information needed to green-light data destruction in a simple interface. This matters because firms must make the destruction decision as easy as possible for partners and senior lawyers, who are often reluctant to authorise the destruction of data. But, if the firm is to run a successful data retention policy that controls its risks, they must be enabled to do so.

To find out more, join Legal RM’s webinar Retain, or destroy (data)? That is the question! Click here to register.