Go Back
Blog

The Three Pillars of Defensible Deletion

Learn valuable lessons on starting a defensible deletion program based on a conversation with Ryan Zilm, Director of Information Governance at H20 America, on the Data Xposure posdcast.

People, Process, and Technology for Information Governance Success

In the world of data risk, the "what if we needed it" mindset is a comfortable but unsustainable position. As data volumes explode and AI agents increase the potential for risk exposure, organizations must move away from hoarding data forever and embrace a culture of defensible deletion. These essential lessons, drawn from a conversation on Exterro's Data Xposure podcast with Ryan Zilm, Director of Information Governance at H2O America, reveal that successfully implementing a data disposition program is not just a matter of compliance, but a strategic effort built on three interconnected pillars: engaging your people, leveraging technology, and implementing clear processes.

For data risk leaders, the "what if we needed it" mindset of data hoarding is no longer a sustainable strategy as data volume and AI proliferation increase risk exposure. Successfully moving toward a culture of defensible deletion requires a strategy built on three interconnected pillars: engaging your people, implementing clear processes, and leveraging technology.

Listen to the full episode here!

People: the Art Needs a Heart

Information Governance (IG) is both a science–the black and white of regulatory compliance requirements–and an art–how you sell and implement the program. While the regulations are complex and overlapping, the biggest challenge often lies in the human element, in convincing employees to let go of data they fear they might need. The key to adoption is prioritizing relationships and building trust before implementing any major change.

  • Lead with Relationships: Focus on earning trust first, then worry about the program itself. If you’re having challenges convincing team members to buy in, consider taking those colleagues to lunch or coffee and simply listening to their fears about data deletion. Have a candid conversation and address their concerns. Earning trust might not even be about IG itself. Sometimes, even small wins unrelated to the program, like fixing a broken printer, can build the rapport necessary to drive major change.1
  • Target the Naysayers: Actively seek out the most challenging people or those most reluctant to change, and involve them in pilot programs. If you can address their list of concerns and make them comfortable, they will become your strongest advocates. Avoiding potential negative voices doesn’t make them go away; you’re just postponing addressing their objections.
  • The Hump Question: To address the data retention mentality of "I am going to need that information," pose this insightful question: If this data were gone, how hard would it be for you to recreate it? This helps people realize what information is truly vital versus what is merely convenient.

Technology: Consistency Is King

While human buy-in is essential for launching an IG program, technology is the only way to ensure its legal defensibility and continuity. When humans are tasked with manual interventions, there is a possibility of mistakes happening, or items being accidentally overlooked. The core benefit of software-automated data disposition is consistency.

  • Remove Inconsistency: The human element introduces subjectivity—where one person deletes a document and another keeps an identical one—which undermines legal defensibility. A technology-driven process removes this subjective element by making decisions on when to keep information and when to remove it in accordance with pre-determined and approved criteria.
  • Ensure Defensibility: When facing litigation, having technology in place that has operated consistently is critical to proving that data was managed correctly. Consistency helps an organization win cases or reduce fines by demonstrating a uniform process. If there is no “reasonable anticipation of litigation,” data may be deleted in accordance with standard policies.
  • Maintain Follow-Through: Automation is necessary because manual processes are less likely to be followed up on, increasing the chance of program failure and data accumulation. If data retention is yet another task on a team member’s plate, then you run the risk of that person determining other items are a higher priority.

Process: Implement a Tiered ROT Cleanup Strategy

Implementing a massive data cleanup goal can be overwhelming and set you up for failure. It may alarm people and create resistance, or be too complex of a project to effectively manage. It’s better to start small and build up to achieve the final goal. Therefore, to transition away from data hoarding effectively, most organizations should adopt a phased approach to reducing Redundant, Obsolete, and Trivial (ROT) data.

  • Implement a Tiered Strategy: Break the strategy into "bite sizes" by targeting the least risky data first. Start by targeting data that is unquestionably old, such as system files or documents not accessed in over 10 years. Once that is successfully accomplished, move to an intermediate tier (e.g., five years), and then to the shortest retention period (e.g., two years), customizing the years based on your organization's age.
  • Use "Quarantine as a Service": Introduce a holding queue for data before final deletion (possibly 90 days). While in quarantine, if some of data is needed, it can be easily restored. This provides a service that gives people access to the data while it is transitioning out of use. This safety net helps get people over the fear of getting rid of unnecessary data because they know they have a final window to retrieve it if needed.
  • Target Quick Wins: Start with specific, low-hanging fruit, such as terminated user data, where processes are often lacking, to build momentum and comfort before tackling broader organizational data.

Ultimately, moving away from data hoarding and embracing a culture of defensible deletion is a critical, strategic effort for data risk leaders facing the challenges of escalating data volumes and AI proliferation. Achieving this shift requires balancing the three interconnected pillars: engaging your People through trust and relationship-building, leveraging Technology for consistency and legal defensibility, and establishing phased Processes to tackle Redundant, Obsolete, and Trivial (ROT) data. For more essential lessons and insights on information governance, be sure to check out other episodes of Data Xposure, the Exterro podcast for data risk leaders.

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information