Be honest: does your office look like this?
There are two basic approaches to managing stuff of all kinds, from paper and digital files to clothing and personal items: are you more of a maximalist who keeps everything or a minimalist whose first impulse is to purge items? When it comes to managing corporate data stores, what to retain and what to toss has grown more complex as the types of data organizations generate have expanded dramatically. These days, there’s far more to data than just documents.
Organizations that use Slack to stay connected, for example, have to decide what Slack data they should keep and what they should delete. For collaboration platforms like Slack, the default is generally to keep everything. After all, Slack’s name is an acronym for “searchable log of all communication and knowledge.”
But should you stick with Slack’s default? What data should you keep, and what should you toss at the earliest opportunity? Answering those questions is what retention policies are for.
Fundamental Factors That Determine Data Retention Policies
A data retention policy states how long an organization should retain its various data types and sets out the details of data retention and data destruction. Retention policies should answer a variety of questions about data, including:
- What data do you keep?
- How long do you keep that data?
- In what format is the data stored?
- Where is the data stored?
- Who is responsible for maintaining the stored data’s security?
- When and how will stored data eventually be purged?
Before establishing a data retention policy, an organization must understand what data it generates and uses across its business units. Data can be dispersed across numerous applications, systems, and storage locations, all of which should be accounted for in a data retention policy. Since you can’t thoughtfully retain or purge data you don’t know about, creating a data map to understand your data sources is a crucial first step.
For each type of data you generate, you’ll want to ask what the data’s purpose is and how long it will remain useful. Social chats on a collaboration platform may only be useful for a day; project conversations that demonstrate the origin of a piece of intellectual property are likely to be useful for much longer.
Organizations should only keep data that is necessary or useful. That may include data that is required or helpful to:
- maintain legal or regulatory compliance and respond to regulatory inquiries,
- defend the organization against legal claims,
- establish ownership of the organization’s intellectual property when faced with potential theft or misattribution,
- onboard new personnel and bring them up to speed on projects,
- learn from past projects and establish a store of institutional knowledge.
On the other hand, outdated, redundant, or simply irrelevant data need not—and should not—be retained.
Determining which data fits in which category requires balancing competing forces.
The Pros and Cons of Retaining or Purging Data
Organizations retain data for four primary reasons:
- inertia—they’ve never worked their way through deciding what data they can or should delete, so they keep everything by default;
- compliance—to satisfy legal and regulatory requirements for data retention;
- knowledge—as a valuable store of institutional knowledge; and
- spoliation—to avoid claims of lost or destroyed evidence during ediscovery and litigation.
Let’s take a moment to discuss that last point. Retention policies notwithstanding, data that is potentially relevant to a pending or anticipated litigation matter needs to be preserved when a preservation obligation is triggered. Failure to do so can leave the organization vulnerable to charges of spoliation. But trying to keep everything isn’t the best way to protect against these allegations. Instead, data retention policies should explain why an organization has decided to keep or purge various data. An organization that can explain its data retention policies and demonstrates how they apply them uniformly across each type of data is in a far better position to explain data purged before the preservation duty attached.
And there are compelling reasons to purge data, namely:
- to reduce the costs of data storage;
- to limit the damages associated with a potential data breach or cybersecurity incident;
- to maintain speed and efficiency in computer systems, which can slow to a crawl when overburdened with unnecessary data;
- to save employees the time and stress of searching through confusing and useless stores of extraneous data; and
- to reduce costs and risks of ediscovery—because the more data you have, the more you’ll have to preserve, collect, process, review, and perhaps produce in ediscovery.
Of course, retention policies will vary for different types of data, based on the value of that data to the organization and the format, complexity, and location of the data, among other considerations. So, how should organizations design retention policies for Slack data?
Creating Retention Policies for Slack Data
Slack data falls into two primary buckets: direct messages and Slack channels. Channels usually are classified as public or private and business-related or social and entertainment-focused. Generally, we recommend that organizations purge direct messages—which are unlikely to provide any value to the business—on a relatively rapid cycle, perhaps every 90 to 180 days. Similarly, organizations can use the same short retention period for data in social and entertainment channels. On the other hand, data in project-related channels is likely to be a valuable source of institutional knowledge for the organization and may be subject to regulatory retention requirements.
Left to its own devices, Slack will retain all messages and files—including attachments—for as long as your workspace exists. Users of the free version of Slack can only access their most recent 10,000 messages, but all other users can retain everything forever if they wish.
Slack also enables basic message retention policies. It provides three options:
- keep everything, as in the default setting;
- keep all messages, but don’t track revisions; or
- delete both messages and revisions after a set period.
If an organization enables the last retention setting, Slack will automatically delete any messages and files daily as they “age out” beyond the chosen period. Slack advises users that “message and file deletion is permanent” and cautions users to “adjust these settings with care.” Note that Slack also provides an option for individual users to edit the message retention settings for channels and direct messages (DMs). We strongly suggest that Slack administrators disable this function to establish and control its uniform data retention policies.
If you do implement a retention schedule for your organization’s Slack data, you’ll also need to plan for legal holds. Slack now enables legal holds through an internal function that permits in-place preservation.