Nonprofit Data Retention with Ian Gottesman Artwork

Community IT Innovators Nonprofit Technology Topics

Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com

All Episodes

Community IT Innovators Nonprofit Technology Topics

Nonprofit Data Retention with Ian Gottesman

May 01, 2026 • Community IT Innovators • Season 7 • Episode 33

0:00 | 48:03

Your nonprofit may be sitting on a data liability it doesn't know it has.

Carolyn talks with Ian Gottesman, CEO of NGO ISAC, about data retention and why the question of what your organization keeps - and for how long - is more urgent than ever. Ian has been studying this topic for 30 years, and he makes the risks concrete: e-discovery requests, contractual disputes, subpoenas, and the exposure that comes from mixing personal and organizational data on staff devices. Most of the time, the threat isn't a headline-making congressional hearing - it's a vendor dispute or a board member's outside legal trouble that pulls your email and files into a lawsuit you didn't see coming.

Ian walks through how to build a data retention policy, who in your organization needs to lead it, and why now. With AI tools beginning to ingest your file servers and inboxes, now is exactly the right moment to get serious about data hygiene.

This episode covers:

• The most common data retention risk for nonprofits isn't congressional testimony — it's a contractual dispute, a board member's outside legal matter, or a vendor conflict that pulls your organization into e-discovery.

• Your backup retention schedule must align with your data retention policy. Backups that outlast your retention window are still discoverable — and that trunk of old backup tapes will find its way into a lawyer's hands.

• Start your retention policy implementation with the most transitory data first: instant messaging and Slack, then email, then files. Automate deletion as much as possible, and make saving intentional and manual.

• The hardest part of implementation isn't the policy, it's change management. People love their old emails. Enlist a senior leader (CEO, general counsel, COO) to champion the rollout, not just IT.

• Clean data makes AI tools work better. If your file server is full of outdated drafts and duplicate documents, your AI tools are ingesting noise. A retention policy is the foundation of good data governance — and good AI outcomes.

Resources Mentioned:

• NGO ISAC

• NTEN Course: Data Minimization and Retention — Ian Gottesman

• Sample Not-for-Profit Document and Data Retention Policy — AICPA & CIMA

• Document Retention Policies for Nonprofits — National Council of Nonprofits

• Nonprofit Legal Defense Network (We the Action)

Additional resource: Podcast: Prep Your File Permissions for AI Tools — Community IT Innovators

_______________________________
Start a conversation :)

Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
email Carolyn at cwoodard@communityit.com
on LinkedIn
on reddit/r/nonprofitITmanagement
on the Community IT website

Thanks for listening.

Carolyn Woodard 0:22

Welcome everyone to the Community IT Innovators Technology Topics podcast. I'm Carolyn Woodard, your host, and I'm here today with Ian Gottesman from NGO ISAC. So, Ian, would you like to introduce yourself?

Ian Gottesman 0:35

Sure. My name is Ian Gottesman. I am the CEO of NGO ISAC. Excited to be here on the Community IT podcast and excited to talk about record retention as something I've been working on for almost 30 years. That's what I wrote my master's thesis on many, many moons ago at Florida State University. And I'm happy to help people manage this risk and figure out a way to lower that risk and lower and increase the trust in the work you're doing, which is really the core of what the NGO ISAC does and what I hope you guys can do.

Carolyn Woodard 1:04

Can you tell me a little bit more about NGO ISAC? That's a membership organization, right? People can join.

Ian Gottesman 1:09

Yeah, so NGO ISAC, NGO stands for non-government organization or nonprofit organization. Anyone uh that's US-based nonprofit can join. Most of our 501c3s, but include C6s, C7s, and other sorts of nonprofits. Uh, we're a community mutual aid organization. We help um lower digital risk, improve cybersecurity, and increase trust. So if you have a question about like, well, record retention, you can come there. We have trainings on it, including the the one at NTEN that we'll talk a little bit about. We have some internal ones too. Um,

Ian Gottesman 1:37

We have weekly webinars, we have an annual conference, we have a community with about a thousand individuals in it, representing about 500 company, 500 uh member nonprofits and about 75 um partner uh private companies, just helping uh figure out sort of complex issues and cybersecurity and making hard stuff easier.

Carolyn Woodard 1:58

So if somebody is not a very technical person or is not the cybersecurity person at your organization, can they still join?

Ian Gottesman 2:08

Yeah, 100%. They can join if they're just trying to concern about risk and trying to figure out how cybersecurity works for their organization. A lot of nonprofits are really, really small. You have one person who's like doing all your operations and administrative stuff. They're their HR person, the IT person, the finance person, the facilities person, the security person, et cetera, et cetera. Um and their area of expertise may not be IT and cybersecurity, but yet they're in charge of it. That that's a great person to join.

Ian Gottesman 2:33

Or if you just have a curiosity in it, some organizations um have a research program or or or uh core program about cybersecurity. Certainly that those people are happy to join. There's peer organizations of ours. And I used to work at think tanks where we had scholarship studied cybersecurity. They they are members. Um, we have access to

Ian Gottesman 2:51

Through our partners, some of the big vendors that maybe you wouldn't be able to easily talk to, like senior staff at Microsoft and Google that can help you sort of unravel a complicated problem um and resolve something that maybe you'd spend a long time going through a help desk escalation to like figure out this weird issue. You can maybe find the person that actually built that tool or can resolve that issue and those things. Um so yeah,

Ian Gottesman 3:17

If you want to join, we're happy to do it. And and there's a lot of people that'll meet you where you are and help you reduce that risk. And cybersecurity is not the hardest thing in the world, but it's not the easiest user. That's not typically something people are specialized in. And so our goal is to make that easier for people and not have to like, you know, uh suffer through a security incident to get better at cybersecurity.

Carolyn Woodard 3:37

Well, I will definitely include the link to your website and how to join in the show notes. I saw that you have the NTEN course. Um so I wondered if you wanted to talk a little bit about that and about data retention in general.

Ian Gottesman 3:55

Yeah, yeah. I can talk a lot about it. Um so this is actually what I read my master's thesis on almost 30 years ago.

Carolyn Woodard 4:01

No way.

Ian Gottesman 4:03

Yeah. So um to kind of go back a long time to 30, literally 30 years ago, 1997, I think it was. So I'm from Florida. I went to school at Florida State. Florida has very strong open record laws. Um, basically anything that isn't specifically exempted from the government does. Anything that isn't specifically exempted is open by what they call the sunshine laws.

Ian Gottesman 4:26

Email is relatively new in the mid to late 90s. Um, and the state has a lot of big contracts and a lot of complicated processes for the big contracts you have to follow. So a common tactic is uh someone bids on a contract, one person wins it, and then the loser um tries to see if people didn't follow the complicated process. So they'll make uh a sunshine request, which is exactly the same as four-year requests to government employees, like uh who are involved in the negotiations. Um, so

Ian Gottesman 4:59

That happened in 1995 or 96 before I was an intern, a little bit before I was an intern. Um and email was new at the agency, the the Department of Motor uh Department of Highway Safety and Motor Vehicles, the one that does the highway contracting in Florida. So it's a for to build a big road, the contract they were disputing. Uh and they were using mainframe computers to do their email and everything else. You had one mainframe computer that they did everything on, or almost everything on. Because it was a long time ago. That's why it worked.

Ian Gottesman 5:28

And to pull the emails that were requested, they had to do it at night, they had to stop other jobs, they had to bring in extra people because it couldn't be done by like the night operators who are like a lot of times low-level employees, not particularly skilled at like their email system, for example.

Ian Gottesman 5:44

So there's a there's a pretty high cost to to pull those records, and they pulled them, and then they tried to bill the uh vendor that was in the dispute for it. And the vendor said, Well, no, we're not gonna pay that, because you have a rule, you have by law under open records, you have to provide these and you have to do it in a in a low-cost timely manner, and you didn't meet those requirements. Uh

Ian Gottesman 6:06

The judge agreed, and then every agency thereafter realized, oh, we now have a whole new category of records of electronic records we have to keep track of and provide when requested. Um, and then

Ian Gottesman 6:18

That's what I wrote my master's thesis on. I happened to work at one of the agencies that was implementing that policy. Then I met with like the records and archivists and talked about best practices and looked at what some agencies were doing and evaluated those different agencies against the archivists' best practices. Um, and that's been kind of something that's that's sort of kept up with me over the last 30 years. Uh,

Ian Gottesman 6:40

It's different when governments and and nonprofits doing it in the sense that governments have to provide all the information and they can't delete things. They're explicitly, they're not allowed to delete things or or hide or not provide things unless it's explicitly allowed by by default, everything is open in government.

Ian Gottesman 6:59

Nonprofits, it's the opposite. You have to store things, um, explicitly decide what you store, and then you and then you delete everything else if you have a record retention policy. That's typically what it is.

Ian Gottesman 7:10

The idea for nonprofits is just to reduce that risk. Um, and there are a lot of risks with storing tons of information. There's like sort of black swan risk that everyone is really scared of, like getting called in front of Congress or um uh someone breaking into your email and leaking embarrassing stuff.

Carolyn Woodard 7:31

Sharing, yeah, yeah.

Ian Gottesman 7:33

Yeah. Um comp Kompromat is the term they use. It's a Russian term. They're like leak embarrassing stuff about your organization. Like Sony is the best example of that. Or like that was what about 10 or 12 years ago? Where they had Sony, they leaked like racist things that people at Sony were saying, and then everyone got fired, or a lot of the leadership got fired at North Carolina.

Carolyn Woodard 7:52

I remember that. And I remember there were, wasn't it at that time too? I don't remember if it was related to Sony, but there were some uh politicians that got their their emails were leaked.

Ian Gottesman 8:04

Yeah, and so politician politicians at the federal, state, and local level, that all their stuff is open through at the federal level, it's FOIA in Florida where I'm from, it's just called the Sunshine Laws. And um, so their email is all open. So a lot of politicians won't, for example, use email um or take notes because their notes can be seized. Um,

Ian Gottesman 8:23

What is a lot more common than like congressional testimony or the hacking, what happens a lot in organizations is contractual disputes. So, you know, you have a vendor that you're dealing with, things don't go well, or even like you're not even maybe maybe you're not even dealing with the vendor directly. Things don't go well, you have a contractual dispute, and then any discovery is made. So a lawyer will send a request and say, like, we want all this type of information in your organization, or all this person's information. And you have to provide it typically, um, or provide a very good reason why you're not, uh, that a judge approves. And then

Ian Gottesman 9:00

If you don't provide it, you can be found in contempt of court and you know, go to jail in theory. I I don't know if that happens too often, but it does happen occasionally. So if you don't delete or limit that sort of exposure, and and sometimes you can't, um, it can be a real invasion of privacy.

Ian Gottesman 9:16

And it gets worse in the more recent times, right? Because we don't do a great job, particularly on our phone, separating personal from private information. So, for example, if you're using your phone, has a mix of of work and personal stuff, and you're involved in a court case, like you just said, like embezzlement or um any number of things, then your phone can be seized and include as e-discovery, and they just pull everything off your phone. They in essence take a backup, run everything off your phone, uh, look at it in an automated way, but still they're looking at it, um, to see for those keywords or those conversations.

Ian Gottesman 9:52

And they may look at your text messages, your photos, if you maybe if you have an online like uh

Carolyn Woodard 9:58

Slack or Teams

Ian Gottesman 9:59

Slack, journal, if there's a journal you're keeping, anything like that, right? So it can be a real um not only an invasion of privacy, which it obviously is, it can also just be really, really time consuming because you have to provide that information.

Ian Gottesman 10:11

It can be um expensive too. It's up to you as an organization. Do you want to uh provide that information and just give it to them? Like if they request, you know, every meeting you had with a certain person, do you just want to give them all your meeting notes and all your meeting invites and emails and be done with it? Or do you want your lawyer to look at it? And if you don't have an internal counsel, that can be really expensive because someone has to look through it.

Ian Gottesman 10:33

And oftentimes, even your internal counsel may not have a great deal of expertise in any discovery, so you may have to have an external counsel to look at it and to sort through it because it this is a pretty it's a very common, but also kind of expertise.

Ian Gottesman 10:46

So there's tools that they'll use to sort through things and look for specific keywords and look for specific things um on both sides. And there's tools built into like your office suites, your Google and your and your uh um Office 365 to help you pull out the e-discovery requests because it's such a common occurrence at this point. They they built management tools right into those tools, right into the suite of tools.

Carolyn Woodard 11:10

I didn't know that.

Ian Gottesman 11:12

Yeah, and so you will yeah, you'll go into like your Office 365 and like look at the e-discovery portal, enter the keywords, enter the people, enter the time frame, and then it'll spit out all the eligible information. You'll provide that both the criteria you use to confirm that you're following the rules and the eligible information to a lawyer who then may provide it directly to the other lawyer, or you may provide to the other lawyer to look at. Um, so that's time consuming. And the more information you have, the more time someone has to go through it. So, what uh

Ian Gottesman 11:43

What you probably want to do to sort of reduce that risk is like come up with a policy and a process for what you're storing and why and how long and um who's doing it, who's responsible for it, and then uh make sure that you follow it. And and then if you get any discovery requests, they're not looking at the whole, you know, 30 years of email or something. They're just looking at the the last how many of your months you're you're stored by default. Um and

Ian Gottesman 12:15

That would be my recommendation is for people to really think about like what you're storing and why. And most of the information you're storing is kind of core operational information, like fundraising, tax data, HR data, all of those things typically have legal requirements, like you know, your taxes are required to be stored for seven years. Can they be audited for that long, for example, and fundraising is is similar. Um,

Ian Gottesman 12:37

So there's typically legal requirements that either your general counsel or your operations leads will know of why they want to store this money for how long. And your like core program research as a nonprofit oftentimes doesn't have that requirement. So you would that would fall under the default. Um, and

Ian Gottesman 12:53

The default can be anywhere from very short, like a few weeks. I was talking to somebody actually at Community IT was saying they were how you guys are supporting an organization that uh basically their job is to sue other people. That's what the kind of it's a nonprofit that does a lot of suits. So by default, they don't want any information to be run because they get counter-sued.

Carolyn Woodard 13:12

Right.

Ian Gottesman 13:12

So they were he they were saying it was two weeks. Um,

Ian Gottesman 13:15

A lot of organizations will do six months, seven months, because uh that's just a period of time where 13 months is common um because it's longer than a year, and a lot of contraction things are a year, so keep it around for 13 months.

Ian Gottesman 13:26

And then you you have a retention schedule that dictates how long you keep keep pieces of information beyond that and why, and who's responsible for it. And sometimes it may even dictate what format it is. Um

Ian Gottesman 13:37

One other kind of risk that's very, very common that people don't think about is what I call tangential risk. So a lot of nonprofits are have senior staff that are on boards of organizations or have board members that are senior at a private company or whatever. Um, and then because of their relationship with these other organizations, not anything they actually do in their day-to-day work with you, then you're exposed to risk through them.

Ian Gottesman 14:01

So if that organization is having a contractual dispute or your senior leader is on the board of an organization that's having a contractual dispute, um then that leader is getting their email e-discovered and you're having to provide it.

Ian Gottesman 14:16

So there's a lot of different ways that the risk can happen and can create embarrassment. Um, and by the time you had that happen, it's too late to do to like go in and delete things or come up with a retention policy. Once there's a hold or any discovery request, you can't delete things at that point if the resolved to start that process. Um so, yeah,

Ian Gottesman 14:37

A lot of organizations have been spending time doing that over the last year or two, trying to figure out what their policies look like, why you do it, how you do it.

Ian Gottesman 14:47

The vast majority of stuff we're doing in like email and Slack and almost everywhere else is like transitory. It doesn't really, it's not super important to keep it. It's not the final version, the final version of what's important. And they're like transactional conversations, like where you're going to lunch. Who cares once you've gone to lunch? Do you really need to store that? Um, and

Ian Gottesman 15:06

The more instantaneous, the more transitory it is, and the less important you source, and also the steeper to more flippant things people will say. So, like Slack, Teams, instant messaging. That's where like people say really, really unfortunate things that you wouldn't want to expose in the public. Um, so those are places, and also those are not places where you're gonna be like announcing your HR, your new HR policy, right? You may you're not gonna store it there, you may announce it there. You don't mind people to go to a meeting, for example. Um

Ian Gottesman 15:35

So that's where you can start, would be my suggestion. Delete the, start your implementation of your retention policy with the things that are most transitory and the least likely to need to be saved.

Ian Gottesman 15:48

And then come up with a policy where you have a what's called a general retention schedule where you have like what you're storing how long and who's who's responsible for it, what format it is maybe. And

Ian Gottesman 15:57

In some places, it may all maybe one person responsible on it. Sometimes if you have a librarian or archivist, you just give it to them and then they're very good at it and store it for you. In most cases, it's the subject matter expert, like your HR person's in charge of HR records. Um and

Ian Gottesman 16:10

You can start with those transitory messages like instant messaging like Slack or Team Signal, whatever. Um, get those down very short, delete those very quickly. Um, and then

Ian Gottesman 16:22

Email is probably the next example of a transitory message where the vast majority of stuff can be deleted. You need to have a process for people to say stuff. So in email and Slack, maybe you can mark things and those don't get done, or maybe you print it out and stick it in a folder or

Carolyn Woodard 16:37

That's gonna be one of my questions is can you do you recommend that like if you said that your policy was 13 months for email, would you automate that?

Ian Gottesman 16:47

Automate it as much as possible. So when something hits 13 months plus one day, it automatically deleted.

Carolyn Woodard 16:53

Um can you do the same on like Slack and Teams instead of like you know disappearing messages?

Ian Gottesman 16:59

You can do exactly. Yeah, you can do that on Slack and Teams, and that's what you want to do. You want to automate it so that as much as the deletion as possible is uh is automatic, and the saving is sort of ends up being manual because that also encourages people to not to only save things that are meaningful. Um and

Ian Gottesman 17:15

There's different ways you can have people save stuff, you can label it. Um, and then once it gets a certain label, it it the label may be the actual retention period. That's the most common way I've seen it done, but sometimes it's not. So you label something. Oh, this is seven years, so it's automatically stored for seven years if it's like a tax return, for example. Um

Ian Gottesman 17:33

And then the the thing that's probably the last that you'll go through and um end up is the most manual in my experience is your file shares.

Carolyn Woodard 17:41

I was just gonna ask about that.

Ian Gottesman 17:43

Yeah, those are typically um, those are typically like people have made a choice to save that stuff. So it's saved on purpose, so there is has been some thought to go into it. So you don't have as much like transitory stuff, as much junk for like a better way of describing it, old stuff that doesn't have a purpose.

Ian Gottesman 18:01

There's still a lot there, probably four or five times is what is meaningful is is like not meaningful anymore. What different versions, and like, oh, here's 12 different versions of this document as we edit it, it has to prove with different dates at the end or different initials or something. Um but you have to have made a conscious decision to save that stuff. Uh

Ian Gottesman 18:23

Whereas, you know, email and messaging, it just sort of pours in and you can't really control what people send you. Um and you and uh what again,

Ian Gottesman 18:34

What should be determining how you save stuff is that that retention schedule that says this type of information should be stored for this long. And it shouldn't matter if it's an email or a written letter, that's what determines the content of the message, and that's what's really important.

Ian Gottesman 18:47

And then um you can decide how you want to store things. Uh paper is really it may sound kind of silly at this day and age, but we've been storing paper since the beginning of history. That's literally what defines history is writing and being able to look at stuff. So if you want to if you want to save something, you can always print it out, stick it in a folder, and give it to your archivist, or keep it in your drive, your folder, file folders, and it'll be around for a long time. Um,

Ian Gottesman 19:11

That's a simple and easy way, and you just mark things with the folder like when you want to store it. That's a lot a lot of times, like with HR, they'll do that, like have a folder that marks all the people that applied for a job in a given month. And then once you hit the retention period for the end of that HR, like say 90 days is once a person's been hired, you then you would see like, oh, every every at the end of every month you go through a delete all back bookheads, you know, from that are more than 90 days old. Um yeah, and you and

Ian Gottesman 19:38

I mean because there are if you store things electronically, there are occasional disadvantages. Like, I don't know how you would get something off like uh a floppy disk this in this day and age, right? Or paper drive.

Carolyn Woodard 19:49

Well, my my sister was telling me she has some of those old mini cassettes, you know, those dicta-phone type things that you would hold and take notes. And um, and she had one on a couple of vacations that she took like so many decades ago. And she kind of wants to get, you know, hear what she was saying, but there's yeah, it's very hard to get that.

Ian Gottesman 20:11

Well no, right. And so that's an that's the issue, right? If you have a proprietary format or or a format that's electronic that's just hard to retrieve, it's what do you do to retrieve it?

Ian Gottesman 20:22

Whereas if you print something out on paper, it's there and see it in perpetuity. I mean, you can see things that ancient Romans and and ancient Greeks wrote and even further back.

Carolyn Woodard 20:31

Although you you might want to put it in like a fireproof safe or something like that, if you're

Ian Gottesman 20:37

Exactly. And there are organizations and things you can pay that'll like take things off site, like HR records sometimes have to be stored for like the lifetime of the employees' um uh uh beneficiaries, which can be like their children or grandchildren, even. Right. So like the VA is still providing benefits to people that fought in World War I, for example, because the benefits go to their children and grandchildren, and they've had to store records that could be over 100 years old, which is very complicated to think about. Um and I worked in a well, I didn't work, I lived in a place where a huge University and they provided benefits to people's children. They ended up buying an old mall to store their HR records and other records for their archives and those going out of business.

Carolyn Woodard 21:17

Wow. Wow. Um, I

Carolyn Woodard 21:20

I guess I want to ask how does one get started if an organization does not have any kind of retention policy and there's this kind of new urgency around, you know, AI search and you know, maybe being worried about these risks that you talked about.

Ian Gottesman 21:37

Yeah, so the easiest place to start is with that policy. You can look at the NTEN course that I created. We have stuff in NGO ISAC, it's a really popular topic. We have stuff, sample policies. Um, there are other organizations that have them, like the one of the sample policies I found when I was doing research on this was from the Association of Um Accountants, the um CPA Association. I think it's AI CPA, if I remember correctly. Um, so there's a lot of people that have this information out there and can be a model policy for you.

Ian Gottesman 22:05

And then um, you want to find that people in your organization that are managing risk. So a lot of times that's your general counsel if you have one, if not like your operations staff, like your COO, HR people, people like that. You'll have a surprising amount of internal expertise in creating that. Like your HR people will know how long they want to keep HR records because they're already doing it. They just maybe have it written it down in a retention schedule. Same thing with your finance team, your your and your development team, your fundraising team.

Carolyn Woodard 22:31

Your board.

Ian Gottesman 22:33

Yeah, your board. Like all of these things exist in other places. Um, maybe they're written down informal, maybe it's just on the on people's minds, like, oh, we keep our board notes for five years. Um and

Ian Gottesman 22:44

Then you just write those down in one place and you formalize it, and the policy end up kind of just looking like a table with a few different rows, like, oh, here's a row of the type of information, here's the row that says how long you're storing it for, here's a row that says who's responsible for storing it, and maybe here's a row that says what format we're storing it in. And that honestly is not that's a hard part, but not the hardest part of the process. The hardest part is um the change management. People really love their data.

Carolyn Woodard 23:12

That's what I was gonna ask is who do you uh do you so then you give that to your IT team? They're gonna automate as much as they can. But is it up to the IT team to tell all the staff this is how we do it, or does HR do that? Who messages it?

Ian Gottesman 23:26

Um, the IT team would make it, would probably be the ones that enables it and tests it at works, right? Like if you're deleting stuff on day 91, they would maybe set up a test and email box and make sure it deletes on day 91.

Ian Gottesman 23:38

They're not gonna be the ones that are gonna have the like social capital or whatever you want to call it to do that typically. You want a more senior person. So the more senior person you can do, the better, like your CEO, your executive director, perfect. COO, CFO, general counsel, someone like that, hopeful.

Ian Gottesman 23:53

But the IT's role is really enabling the policy unless um like unless like enforcing it. It's really it can be really unpopular. People love email. I cannot emphasize how much people love their old emails. So uh you'll want to really communicate that and have someone in senior leadership help you communicate that.

Ian Gottesman 24:15

You'll want them to like, you want to give people time to do it if they're gonna review all their emails or all their Slack messages or something.

Carolyn Woodard 24:22

Yeah, don't tell them it's tomorrow.

Ian Gottesman 24:23

Right, exactly. Right. It may be it maybe many months. Like that's the hardest part is that sort of um change management.

Carolyn Woodard 24:30

I feel like there's this conjunction of urgency. Like you said you wrote about this 30 years ago. And I feel like my entire time in nonprofits been it's been something that, like, oh, we should do that, oh, we need to do that. But it there's been no urgency around like, no, we actually have to do it. And now there's this convergence of those risks that you talked about. And also, I think AI coming in.

Ian Gottesman 24:55

Yeah, AI and like using your data in ways you don't want, or like just

Ian Gottesman 24:59

The other thing too is there's a cost. Like when I started my career, there was a high cost of storing data, like just a little storage of data had a pretty significant cost, like, oh, it's you know, X hundred dollars per megabyte or gigabyte or whatever it was, terabyte per month. Um, or just total, like a hard drive was expensive. Yeah. That's no longer the case. So that what but

Ian Gottesman 25:20

There is a cost in terms of like just like uh just the the mess, right? The the the clutter of like if you have 30 years of emails, how do you find what's useful? Um, and

Ian Gottesman 25:32

Then also like one of the things I think that's helpful to me when I think about these things is like how what what's the analogy like in the real world? So, for example, you go to your book, your mailbox, your physical mailbox, you take out your mail, you you know, open it up, see what's useful, what's not useful, you put in a recycle bin, what's what's something to do with, like a bill you pay, and then maybe you just put in the recycle bin in a month or two, or you apply to it. Uh, you don't just open it up and shove it back in there for 30 years, right? Forever. And then you're like, oh, where's that bill from one month ago? And you have to sort through 30 different years of emails to find the bill that your your cable bill or your phone bill or your whatever, your mortgage bill.

Carolyn Woodard 26:12

Yeah.

Ian Gottesman 26:13

So I think that that that people kind of think about that like, oh, that makes sense. I don't need to store 30 years of emails.

Carolyn Woodard 26:19

Yeah. We didn't, when we moved, we had had this big filing cabinet that had like, I can't even tell you, Ian, like all like old veterinarian records for like a cat that we didn't have anymore. I mean, just all the stuff that was just in this filing cabinet that it was just easy to leave it there.

Carolyn Woodard 26:40

And when we moved, we were like, we literally don't need any of this stuff. And anything that was current or that we did need to save, we scanned and put it in, you know, a folder uh to keep that we can knew where to find it.

Ian Gottesman 26:54

Right. And that's kind of the same thing, right? So you just you want to get rid of your electronic clutter, and this this process of record retention will stop the that clutter. Um but kind of

Ian Gottesman 27:04

Back to what we were talking about, the hardest part of this whole thing is the the change management and the rollout, particularly around email and files. But

Ian Gottesman 27:11

People feel less passionate about like their Slack messages, at least in my experience. Um, but email people feel really passionate about. They've created like ways to manage whole processes in email and like, oh, I use this, I flag this, and then I do that, and then I auto I have an auto reply that sends it to my boss.

Carolyn Woodard 27:28

Yeah.

Ian Gottesman 27:29

Um so to to do the change management, it's important to have like somebody who's very important helping you because the IT person's role is typically just enabling the process. So general counsel is a real common one. Um, even better, like a COO or an ED or a CEO.

Carolyn Woodard 27:48

I like the idea of doing having the counsel do it because then you're like, oh, the lawyer's here.

Ian Gottesman 27:53

Well, right, and they're gonna have to ... And they're also obvious uh frequently they're the ones who are um approving the policy or even setting up the policy. So

Ian Gottesman 28:03

And your job as the IT person is to like enable it and make sure it actually works. Like, oh, if you're gonna store things for seven years, make sure you have a place to store things for seven years. So you don't just

Carolyn Woodard 28:11

And that you're complying that you're destroying them after the seven years, yeah.

Ian Gottesman 28:15

Exactly. Um so it's important to do that change management piece to have important people involved. Like in a perfect world, you have some sort of proof of concept or user group or whatever you want to call it that like tests this out. So you're gonna store things for seven years and three months and six, six, five years, and whatever the different options are. You can test it out with that group. You write instructions, and that group can say, like, oh, these instructions are really good. This video you created are real is really good, or this is terrible, redo it. U

Ian Gottesman 28:47

That group should include like a diverse set of people, like people who are in your up different operational parts of your organizations because they're the ones that are going to be in charge of saving some of stuff. So it'd be good to have someone from HR, IT, finance, uh, development, fundraising. Um, senior people having a really senior person in there is good, because then they can say, like, oh, I'm the chief muckety muck, and I've done this, it's totally possible. And it sort of embarrasses like the mid-level mucky muck who says they can't do it. Um,

Ian Gottesman 29:14

And one another two groups of people are important are early adopters, like people that are like constantly trying to do the new new thing. So the new new thing can be like your your record retention policy, or squeaky wheels, like the people that complain a lot. Having them complaining early that you can deal with is much better than like you're rolling it out, and then this person's like, This doesn't work, it's terrible. And you realize, oh, in addition to the person complaining, they're right. Like, oh, they figured out something you didn't do right. So it's much better to have them early in the process. Um

Ian Gottesman 29:44

And so you can do like that proof of concept group, and they can do it for like a month and make sure it works, and then you can roll it out to everybody else after that month. People are gonna complain. They love email. It's it's hard to emphasize how much people love email, especially if they haven't been told to s to uh store it. Um

Ian Gottesman 30:03

And then you you know train people, remind them over and over again, uh, let them know it's gonna happen over and over again. If they complain a lot, maybe you can extend the deadline of when you're gonna do it. So instead of doing it on the first of the month, you do it on the 30th of the month. Or extend the time frame of how long you're gonna do it for, like instead of doing it for six weeks or six months, you do it for 13 months. Um and that'll make you more popular and the change a little more palatable. Um

Ian Gottesman 30:31

And then you can ratchet it down if you want, like in 13 months, you you you've retention period of 13 months, and you do that for a month, a few years or whatever, or a month or a few months or whatever. You feel like, oh, we're we're storing a lot of data that we don't need that at that 13 months, you can go down to six months or six weeks.

Carolyn Woodard 30:47

Yeah, yeah.

Ian Gottesman 30:48

Your complaints. Um that's really the hardest piece is the change management piece, just making sure people are aware of it and making sure and train your new people coming in.

Carolyn Woodard 30:59

Like, I feel like that is often a good tactic, is if you have new people that you've just hired and you train them on this is how we do it, you know, and then eventually they'll use the number of old people you have still doing it.

Ian Gottesman 31:13

Right. And people are just kind of used to like, oh, we know we store our email for 13 months, and if I want to keep it for longer, I have to mark it, put it in a folder, or archive it somehow, print it out, whatever the whatever the methodology is, exported something.

Carolyn Woodard 31:25

Yeah.

Ian Gottesman 31:25

And depending on the process and the policy, you can make saving it harder to discourage any saving. Like everything has to be printed out to save it. So people are gonna have to print it out. Do you really want it?

Carolyn Woodard 31:35

Yeah,

Ian Gottesman 31:36

or do you have to export it to this certain format and stick it in a in a document management system we have, or stick it in the shared drive folder that's labeled six months or whatever? Um, because the then the folder will go through and delete things that are older than six months. Um so yeah, you your policy and your process can sort of make storing as hard or as easy as you want. Um

Ian Gottesman 31:59

But your role as the IT leader is to just enable that process and hopefully it's not and and maybe have the tools that enforce it and make sure it works, but not be the one who's like ultimately responsible for the decisions. That should be the people managing the risk. So the general counsel is a really common one. And if you don't have a counsel, it's like your operations lead.

Ian Gottesman 32:15

And then you want an internal champion, uh, an executive sponsor. Um the more senior the executive, the better. I was at a place like this. The CEO was on the on the um POC group. And like I remember sending out an email and people complaining, and then he's like, Well, I did this. How come you can't? I'm talking to our funders, I'm talking to our board. Those are the most important conversations we're having. And I figured out ways to store those. It's not that hard, I'm sure you can do it. And then people are sort of flabbergasted, it's nothing. Right? They're like, Oh, you're you're talking to the most important people, maybe my email to my research assistant or my personal assistant. So like so hard to manage. Um that's still the key.

Carolyn Woodard 32:54

Yeah, that's a great that's a great place to leave it, I think. If your CEO or executive director can do it, then everyone in your organization can do it.

Ian Gottesman 33:03

And definitely like take like to your earlier point, like this has been a risk that people have been aware of but haven't given a lot of thought to. Now people are giving it a lot of thought. Take advantage of that. Implement it now. If you implement it a year from now, it probably might be harder. If you implemented it a year ago, it wouldn't have certainly been harder.

Carolyn Woodard 33:20

Yeah, kind of implement it before you get subpoenaed.

Ian Gottesman 33:23

Well, yeah, if you implement it after you get subpoenaed, that's gonna, that's gonna get you in trouble.

Carolyn Woodard 33:27

Yeah.

Ian Gottesman 33:28

Right? Especially if it's during the subpoena process.

Carolyn Woodard 33:30

Right.

Ian Gottesman 33:31

Um, if it's after the subpoena process is over, and then you're like, well, we've just been through this terrible thing, and you know it would have been easier if we had, yeah. And people will agree, like, oh yeah, I don't want everyone going through every email that mentions you know this very common keyword, and I had to turn it over to this person. It's really not my favorite, or had to give my phone to someone and sit there and watch as they, you know, for hours as they pull gigabits or terabits of data off my phone.

Carolyn Woodard 33:56

Yeah.

Ian Gottesman 33:56

Um, and you know, my phone has like my medical records and pictures of my family and all this other stuff that private and more private stuff can be on there that you don't want anyone to look at. Um so yeah, you definitely want to get ahead of this stuff.

Ian Gottesman 34:12

And you want to kind of, as an IT leader, you're gonna your job is gonna be to manage the process and less about the sort of um classifying the risk. That should really be the people that understand the data or understand the risk.

Ian Gottesman 34:26

And you kind of want to do it one system at a time, and broadly, like I kind of lumped it together in three three sets um chat or messaging, or whatever you want to call it, like team, Slack, instant messaging, Signal. Um email. A nd then file storage. And the most risk, risky ones are those chat frequent conversations, and then email is kind of in the middle and file at the at the bottom.

Ian Gottesman 34:48

But what's determining how long you sort things is the type of message in your retention schedule, not what how it's being sent.

Carolyn Woodard 34:55

Yeah. Um, it's probably a good time to remind everyone that they're using a organization-owned device that is not private to them. And that's not a lot of those like off-the-cuff comments and such I mean, it's not appropriate on a work.

Ian Gottesman 35:13

Yeah, it's not appropriate in a work conversation. And and it's hard, like in a in text, it's hard to know, like, oh, that sort of remark is funny. It's not mean, or it's not in that's a joke. That's a joke. But it's hard to get tone or jokes. So maybe the the joke isn't really meant to be put in writing.

Carolyn Woodard 35:28

Yeah.

Ian Gottesman 35:28

Um and you know, you want to think about uh the thing that the that they used to say a million years ago to me, which is still relevant, but maybe there's better analogies, is like, do you want that information on the front cover of the New York Times? Yeah, right? Or do you want it in the center of a social media storm? Right? Do you want, you know, they have Twitter to repost what you said, for example, I worked a places where that's happened.

Carolyn Woodard 35:52

The couple that was on the jumbotron at the game.

Ian Gottesman 35:55

Right. And think about think about your email and these messages as not private, particularly if they're corporate, they're not private at all.

Carolyn Woodard 36:03

Yeah.

Ian Gottesman 36:03

So don't, ... think about it. Another analogy that people have made that is easy to understand is think about it as a postcard that anyone can see as it goes to the mail and not an something secured in an envelope like a letter.

Carolyn Woodard 36:14

Yeah, that's a good way to think of it.

Ian Gottesman 36:16

Right. And and your organizational information, your organization has is bearing some of that risk. So they have the ability to go in and look at it. And some of them maybe are doing that. I don't know. And we're like looking for keywords and deleting things. Most places I work, actually, I've never worked anywhere that does that. I've heard stories of like, oh, this person worked at a very fancy finance firm, and then they said something mean in writing about the CEO, and then they got called in the HR office. Not sure if those are true or not, but yeah.

Carolyn Woodard 36:41

I find it hard to... I mean, so many of the nonprofits that we deal with, uh just having the time and personnel to be able to do something.

Ian Gottesman 36:49

Yeah, right, exactly. They don't have a time and personnel or interest to do that, but the tools are there to certain things. So you want to think about that.

Ian Gottesman 36:55

And that's the way e-discovery works is you go into like your Office 365 or your Google, entering the keywords, the time frame, the person, and it pulls out everything that's related to that, and then you give it to a lawyer.

Ian Gottesman 37:08

And like in some cases, the lawyer will send you very precisely what you do, and even instructions like step by step, like the last, like what tools do you use for these things? And you'll say, Well, I use I use Slack and I use uh Google and I use whatever. And then they'll send you, like, okay, go to this setting, that setting, pull out this information, send it to me. And then you're like, okay, and then you have you know, you can go through and see it. And sometimes it's gigabits of information that you can't really sort that out manually. There's other tools that will go through it. Um, so it can be kind of overwhelming. Uh,

Ian Gottesman 37:41

And it's helpful to have a lawyer on your side. There are like even if you're a nonprofit that doesn't have a legal counsel, either internal or external, there are places like We the Action and others that will get you pro bono or low bono home services, even specifically to e-discovery, because that's a kind of a specialized area of law. But even if you have a general counsel, they may not know their area of expertise.

Carolyn Woodard 38:04

Do you can people talk to their funder also? Because like often, you know, a bigger foundation will have experience with

Ian Gottesman 38:15

They'll have experience or they'll have people to talk to. Um, a lot of times it's around funding that these issues come, not so much like a grant per se, that's unusual, but a contract. Like

Ian Gottesman 38:26

I worked in an organization where we uh built a new headquarters, and there was a dispute between the general contractor and one of the subcontractors, and we were the we employed the general contractor. Uh, and then there was e-discovery against all the people, myself included, that were involved in some of the meetings and contractual negotiations, and we had to provide it to that suit. And you know, that's very common, that sort of risk that's maybe not directly what you're doing, but it's a contractual dispute between like different members of your organization or a subcontractor and a contractor you've engaged, or like board members on another board and they're in a contractual dispute, or you have a board member that's a senior leader of like a private company that's in a in a suit. So there's a lot of different ways that you can get e-discovery.

Carolyn Woodard 39:12

Yeah.

Ian Gottesman 39:12

Most of them are not like congressional testimony, which is what strikes the fear in people because they've seen like, oh, here's the educational organization that got called for congressional testimony and they did e-discovery, and then the person was saying one thing publicly and then another thing privately.

Carolyn Woodard 39:25

Yeah. Can I ask you one more thing? Uh, you said something earlier that I just wanted to maybe ask a little bit more about, and that kind of relates to, I guess, AI hygiene and data hygiene that I've been hearing more about. And

Carolyn Woodard 39:39

You said, you know, often you'll have in those old, you know, SharePoint or Google Drive, you'll have five, six, a dozen, in my case, versions of the same document. And I've been reading and hearing that that can make it hard for AI to know which is the real one.

Ian Gottesman 39:57

Yeah.

Carolyn Woodard 39:57

But if you're going to search, you're using AI to search your documents, like pull up all of the program descriptions for you know, this year or this program area, it might be getting like those older versions that aren't what you want it to be looking at.

Ian Gottesman 40:13

No, that's 100% true. Like, so the AI kind of needs a sweet spot. Like, because what it does in essence is like ingest a bunch of stuff and then repeats what it thinks is is meaningful or useful. So if it's ingesting a bunch of garbage, it's gonna repeat garbage.

Carolyn Woodard 40:27

Yeah.

Ian Gottesman 40:28

So if you're gonna be using AI tools to like um, I don't know, help you write grants or help you write new policies.

Carolyn Woodard 40:35

Or the annual report or yeah, exactly.

Ian Gottesman 40:38

You want the the the best versions of those to be what it looks at. So it's not looking at like drafts with like, you know, we've all seen files with like this person's initial because they reviewed it or this date or this time.

Carolyn Woodard 40:49

Yeah,

Ian Gottesman 40:49

You really want the final version or um to use it. And that's why some AIs that use like better data are much better than like ones that are sort of ingesting like social media, where it's just like not very good because people just type and say silly things. Um, so yeah, AI, it'll you know,

Ian Gottesman 41:09

If you clean up your file servers and your email and you're gonna use AI or some tool to help you do better at automate your, I don't know, grant writing or your annual report or whatever, it's gonna get better results if you have better data. Not not really enormously surprising.

Ian Gottesman 41:25

And you need like governance data governance processes, which this this data retention is a part of. Because the better data governance processes you have, the better data you have, and the better, easier it is to find the data, and easier it is to say, like, use this folder, um Chat GPT or Claude to uh collect all the information on our fundraising and then um let us know. Let when I ask Claude to write a better fundraising proposal, it has the best fundraising proposals I've written and can pull that information out to help you.

Carolyn Woodard 41:56

Yeah, yeah. No, I think that's kind of an added bonus of doing this data retention policy um um now. So

Ian Gottesman 42:04

Yeah. And if you have a lot, a lot of data, you can eventually hit that, like, oh, you have a terabyte per person or whatever the storage limit is for your office suite. Yeah. You can hit that um eventually, and then you start paying for it, and that can add up. And so if you you just store a bunch of stuff, it does eventually hit that cost, it was much easier to do in the past. Now you still there still is a cost eventually, like

Carolyn Woodard 42:29

Do you ever have an organization that you've worked with or heard about that takes like um you know, a sledgehammer approach where you you're confident that like your HR team or the board have all of the documents that you have to retain. And you just say, you know, anything over seven years old, like it's just gone. Put it in an archive, and then after it's been in the archive for a year, then you delete it. You didn't retrieve anything, it's gone.

Ian Gottesman 42:55

I did that at an organization I worked at during the pandemic. We had an on-store's on-premise store file server, and then no one was working on-premise. So getting to it was a really big pain in the butt. You had to like VPN and VPN licenses, et cetera, et cetera.

Ian Gottesman 43:08

So in that case, um, we just said anything over two years old for we like went group by group, file store by file store. So, like if you're in this research program or this operational program, if you and it hadn't been accessed in over two years, we're gonna not upload it to the to the cloud storage to the SharePoint.

Carolyn Woodard 43:27

Yeah.

Ian Gottesman 43:27

If there's something specifically that you want uploaded that's over two years old, like this folder of really old reports that are important to you or photos, or yeah. Yeah, just tell us we can do that. Um, but we're gonna back everything up. And if you find that something's not there, let us know. And we did kind of exactly what you described.

Ian Gottesman 43:45

There are a few exceptions. HR said no, we want to keep everything, finance and development said similar stuff. So we just uploaded everything for those guys. Um but we backed everything up for I don't know, two or three years for a while. Very rarely did people go back to it after the first five or ten days. Like in five or ten days, they'd be like, oops, we should have saved this folder, and then we'd restore the folder and put it to the cloud. Um and then we, you know, a year or two later we just threw out the the because we had backed it up to an external drive that was attached to our file server. We threw out that drive and then um And then yeah, it wasn't the problem.

Carolyn Woodard 44:27

I was just thinking that in for a lot of people, myself included, like it's just feels so overwhelming to think I I think I might have something in those files I want to keep, but I don't have time or energy to look through.

Ian Gottesman 44:40

Yeah, and and you can do that's where the anxiety comes from. Right. You can do, like you said, the sledgehammer approach, or you can like have days like we're gonna do this over six months, and the first Friday of every month is gonna be a review day. And you're gonna go through and look at your email or file storage and then delete all the stuff.

Ian Gottesman 44:58

And then and then we have the stuff you want to keep somewhere, and everything else that's not in that keep folder is gonna be deleted or archived and whatever. Um are definitely strategies to like alleviate that stress and and get people to look at files if you really want to, or you can do the reverse, like you're saying, just say, you know what, everything that's over seven years old that hasn't been accessed in five years or two years or whatever, we're gonna delete it unless you tell me otherwise. And then um, and the vast majority of it is it's just junk. You don't need it anymore. You're just keeping it because there's no cost to you.

Carolyn Woodard 45:33

Those people aren't even employed anymore. Right. I like the idea of like you move it to an archive for a year and anything that hasn't been accessed from the archive, like you clearly don't need it. Yeah.

Ian Gottesman 45:44

One thing to think about when you're talking about backup is you want your backups to match your attention schedule.

Ian Gottesman 45:49

So if your backup is if your attention schedule is 13 months, you don't want your backup to be in perpetuity, because then if you get a e-discovery request, you have to go to your backup and you're gonna go back and pull that stuff. So when you're e doing e-discovery, you may need to re-um define your backups and say, like, okay, we're gonna redo it. So we backup things for 13 months. Um and you don't you don't keep things in perpetuity, and it may limit some of your backup choices.

Ian Gottesman 46:13

Some backups now, because again, because this vault costs are just so low, and the backup tools get so good at compressing things and deduping and stuff that you're not, even though you may be producing tons of data on the backup, maybe so small that there's no very little cost.

Carolyn Woodard 46:25

But that's a good point I hadn't thought about. They can they can still like subpoena your backup if it still exists there. So

Ian Gottesman 46:32

Yeah. One of the places I worked, we had this. This is a long time ago. We had to send like a uh like a trunk full of old backup tapes.

Carolyn Woodard 46:39

Wow. And then you're kind of like, I hope your lawyers don't have fun.

Ian Gottesman 46:47

Well, we're like, oh, those are encrypted and stuff. You're like, don't worry, we can decrypt them. And like, oh, that provides me a lot of confidence.

Carolyn Woodard 46:52

Not yeah.

Carolyn Woodard 46:55

Well, Ian, I want to thank you so much for your time today. This was just it was lovely as always talking with you. Thanks for making us smarter. I will share that uh link in the show notes to the course that you put together for NTEN um for for members of NTEN that can take to learn more about kind of more granular what they can do.

Ian Gottesman 47:15

Yeah, and they can join our community. All right, perfect. Well, thank you and good luck with everything.

Carolyn Woodard 47:19

Well, I just um thank you so much for doing this.

Ian Gottesman 47:21

Happy to do it