Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Your nonprofit may be sitting on a data liability it doesn’t know it has.
Carolyn Woodard talks with Ian Gottesman, CEO of NGO ISAC, about why the question of what your organization keeps – and for how long – is more urgent than ever. Ian has been studying and writing about data retention for 30 years, and in this conversation he makes the risks concrete: e-discovery requests, contractual disputes, subpoenas, and the exposure that comes from mixing personal and organizational data on staff devices.
Most of the time, the threat isn’t a headline-making congressional hearing.
It’s a vendor dispute, a board member’s outside legal matter, or a subcontractor conflict that suddenly pulls your organization’s email into a lawsuit. By the time that happens, it’s too late to create a retention policy – and implementing one after a subpoena has been issued can actually make things worse.
Ian also makes a compelling case for why this work matters beyond compliance: clean, well-governed data makes AI tools dramatically more useful. If your file servers and inboxes are full of outdated drafts and forgotten threads, the AI tools your team is adopting are ingesting noise and repeating it back to you.
Ian Gottesman is CEO of NGO ISAC, a nonprofit community of more than 500 organizations — including nonprofits and partner technology companies — working together to improve cybersecurity across the sector.
Ian has spent nearly two decades as an IT leader in the nonprofit sector, and has been researching and writing about data retention since his master’s thesis at Florida State University almost 30 years ago. NGO ISAC hosts weekly webinars, an annual conference, and an active online community where nonprofit staff at any level of technical expertise can get support, share resources, and collaborate on cybersecurity challenges. Membership is open to any US-based nonprofit, of any level of cybersecurity or tech savviness. The join button is at the top of their website.
Alex was happy to share his experience and advice on nonprofit data retention.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.
She was glad to have this conversation with Ian Gottesman on nonprofit data retention policy and its growing importance for both cybersecurity and responsible AI adoption.
Community IT has been serving nonprofits exclusively for twenty-five years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. Our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
Being 100% employee-owned is important to us and our clients. It is an important aspect of our culture as a business serving nonprofits exclusively for 25 years.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand.
We think your IT vendor should be able to explain everything without jargon or lingo.
If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
More on our Managed Services here. More resources on Cybersecurity here.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Carolyn Woodard: Welcome everyone to the Community IT Innovators Technology Topics podcast. I’m Carolyn Woodard, your host, and I’m here today with Ian Gottesman from NGO ISAC. So, Ian, would you like to introduce yourself?
Ian Gottesman: Sure. My name is Ian Gottesman. I am the CEO of NGO ISAC. Excited to be here on the Community IT podcast and excited to talk about record retention as something I’ve been working on for almost 30 years. That’s what I wrote my master’s thesis on many, many moons ago at Florida State University. And I’m happy to help people manage this risk and figure out a way to lower that risk and increase trust in the work you’re doing, which is really the core of what the NGO ISAC does and what I hope you can do.
Carolyn Woodard: Can you tell me a little bit more about NGO ISAC? That’s a membership organization, right? People can join.
Ian Gottesman: Yeah, so NGO ISAC (NGO stands for non-government organization or nonprofit organization. Anyone that’s a US-based nonprofit can join.) Most of our members are 501(c)(3)s, but we include C6s, C7s, and other sorts of nonprofits. We’re a community mutual aid organization. We help lower digital risk, improve cybersecurity, and increase trust. So if you have a question about record retention, you can come there. We have trainings on it, including the one at NTEN that we’ll talk a little bit about. We have some internal ones too.
We have weekly webinars, we have an annual conference, we have a community with about a thousand individuals in it, representing about 500 member nonprofits and about 75 partner private companies, just helping figure out complex issues in cybersecurity and making hard stuff easier.
Carolyn Woodard: So if somebody is not a very technical person or is not the cybersecurity person at your organization, can they still join?
Ian Gottesman: Yeah, 100%. They can join if they’re just concerned about risk and trying to figure out how cybersecurity works for their organization. A lot of nonprofits are really, really small. You have one person who’s doing all your operations and administrative stuff: they’re the HR person, the IT person, the finance person, the facilities person, the security person, et cetera. And their area of expertise may not be IT and cybersecurity, but yet they’re in charge of it. That’s a great person to join.
Or if you just have a curiosity in it. Some organizations have a research program or core program about cybersecurity. Certainly those people are happy to join. There are peer organizations of ours, and I used to work at think tanks where we studied cybersecurity, and they are members. We have access, through our partners, to some of the big vendors that maybe you wouldn’t be able to easily talk to, like senior staff at Microsoft and Google, who can help you unravel a complicated problem and resolve something that maybe you’d spend a long time going through a help desk escalation to figure out. You can sometimes find the person that actually built that tool and can resolve that issue.
If you want to join, we’re happy to do it. There are a lot of people that’ll meet you where you are and help you reduce that risk. Cybersecurity is not the hardest thing in the world, but it’s not typically something people are specialized in. Our goal is to make that easier for people and not have to suffer through a security incident to get better at cybersecurity.
Carolyn Woodard: Well, I will definitely include the link to your website and how to join in the show notes. I saw that you have the NTEN course, so I wondered if you wanted to talk a little bit about that and about data retention in general.
Ian Gottesman: Yeah, I can talk a lot about it. This is actually what I wrote my master’s thesis on almost 30 years ago.
Carolyn Woodard: No way.
Ian Gottesman: Yeah. To go back literally 30 years: 1997, I think it was. I’m from Florida. I went to school at Florida State. Florida has very strong open records laws. Basically anything that isn’t specifically exempted from the government is open by what they call the Sunshine Laws.
Email was relatively new in the mid to late 90s, and the state has a lot of big contracts with complicated processes you have to follow. A common tactic is: someone bids on a contract, one person wins it, and then the loser tries to see if people didn’t follow the complicated process. So they’ll make a Sunshine request (which is exactly the same as FOIA requests to government employees) asking about who was involved in the negotiations.
That happened in 1995 or ’96, a little before I was an intern. Email was new at the agency, the Department of Highway Safety and Motor Vehicles, the one that handles highway contracting in Florida. It was a big road contract they were disputing. They were using mainframe computers to do their email and everything else. One mainframe computer that they did almost everything on, because it was a long time ago.
To pull the emails that were requested, they had to do it at night, stop other jobs, and bring in extra people, because it couldn’t be done by the night operators, who were often lower-level employees not particularly skilled in the email system.
There was a pretty high cost to pull those records. They pulled them, and then they tried to bill the vendor that was in the dispute. The vendor said, well, no, we’re not going to pay that, because under open records law you have to provide these in a low-cost, timely manner, and you didn’t meet those requirements.
The judge agreed, and then every agency thereafter realized, oh, we now have a whole new category of electronic records we have to keep track of and provide when requested.
That’s what I wrote my master’s thesis on. I happened to work at one of the agencies that was implementing that policy. I met with the records and archivists, talked about best practices, looked at what some agencies were doing, and evaluated those different agencies against the archivists’ best practices. That’s been something that’s kept up with me over the last 30 years.
It’s different when governments and nonprofits are doing it. Governments have to provide all the information; they’re not allowed to delete things or hide things unless it’s explicitly allowed. By default, everything is open in government.
Nonprofits, it’s the opposite. You have to explicitly decide what you store, and then you delete everything else if you have a record retention policy. That’s typically what it is.
The idea for nonprofits is just to reduce risk. And there are a lot of risks with storing tons of information. There’s the black swan risk that everyone is really scared of, like getting called in front of Congress or someone breaking into your email and leaking embarrassing stuff.
Carolyn Woodard: Sharing, yeah, yeah.
Ian Gottesman: Yeah. “Kompromat” is the term they use, a Russian term, meaning they leak embarrassing stuff about your organization. Sony is the best example of that, from about 10 or 12 years ago. They leaked things that people at Sony were saying, and then a lot of the leadership got fired.
Carolyn Woodard: I remember that. And I remember, wasn’t it around that time too, maybe not related to Sony, there were some politicians whose emails were leaked.
Ian Gottesman: Yeah, politicians at the federal, state, and local level: all their stuff is open. At the federal level it’s FOIA; in Florida it’s just called the Sunshine Laws. So a lot of politicians won’t use email or take notes, because their notes can be seized.
What is a lot more common than congressional testimony or a hack is contractual disputes. You have a vendor that you’re dealing with, things don’t go well, and then discovery is made. A lawyer will send a request and say, we want all this type of information from your organization, or all of this person’s information. You have to provide it typically, or provide a very good reason why you’re not, one that a judge approves.
If you don’t provide it, you can be found in contempt of court and, in theory, go to jail. It doesn’t happen that often, but it does happen occasionally. So if you don’t delete or limit that sort of exposure (and sometimes you can’t), it can be a real invasion of privacy.
And it gets worse in more recent times, because we don’t do a great job, particularly on our phones, of separating personal from work information. If you’re using your phone and you’re involved in a court case, like embezzlement or any number of things, your phone can be seized and included in e-discovery. They essentially take a backup, pull everything off your phone, and look through it in an automated way, and they are looking at it, for those keywords or conversations.
They may look at your text messages, your photos, if you have a journal you’re keeping, anything like that. So it can be not only an invasion of privacy, but also really, really time consuming, because you have to provide that information.
It can be expensive too. It’s up to you as an organization: do you want to just provide that information and give it to them? Or do you want your lawyer to look at it? And if you don’t have internal counsel, that can be really expensive, because someone has to look through it.
And oftentimes, even your internal counsel may not have a great deal of expertise in e-discovery, so you may have to bring in external counsel to look through it, because it’s a pretty specialized expertise.
There are tools they’ll use to sort through things and look for specific keywords, on both sides. And there are tools built right into your office suites, your Google and your Office 365, to help you pull e-discovery requests, because it’s such a common occurrence at this point.
Carolyn Woodard: I didn’t know that.
Ian Gottesman: Yeah, you’ll go into Office 365 and look at the e-discovery portal, enter the keywords, the people, the time frame, and it’ll spit out all the eligible information. You provide that, along with the criteria you used to confirm you’re following the rules, to a lawyer who then may provide it directly to the other side. So that’s time consuming. And the more information you have, the more time someone has to go through it.
What you probably want to do to reduce that risk is come up with a policy and a process for what you’re storing, and why, and how long, and who’s responsible for it. Then make sure you follow it. And if you get an e-discovery request, they’re not looking at 30 years of email, just the months you’re storing by default.
My recommendation is for people to really think about what they’re storing and why. Most of the information you’re storing is core operational information: fundraising, tax data, HR data. All of those typically have legal requirements. Your taxes are required to be stored for seven years, for example, and fundraising is similar.
So there are typically legal requirements that either your general counsel or your operations leads will know. Your core program research as a nonprofit often doesn’t have that requirement, so it would fall under the default.
The default can range widely. I was talking to somebody at Community IT who was supporting an organization whose job is essentially to sue other people, a nonprofit that does a lot of suits. By default, they don’t want any information retained because they get counter-sued.
Carolyn Woodard: Right.
Ian Gottesman: So they were saying their default was two weeks.
A lot of organizations will do six or seven months. Thirteen months is common because it’s longer than a year, and a lot of contractual things are yearly, so you keep it around for 13 months.
And then you have a retention schedule that dictates how long you keep specific pieces of information beyond that default, and why, and who’s responsible. Sometimes it may even dictate what format it needs to be in.
One other kind of risk that’s very common but people don’t think about is what I call tangential risk. A lot of nonprofits have senior staff who are on boards of other organizations, or have board members who are senior at private companies. Because of their relationship with those other organizations, and not anything they actually do in their day-to-day work with you, you can be exposed to risk through them.
So if that organization is having a contractual dispute, or your senior leader is on the board of an organization that’s having a contractual dispute, that leader is getting their email e-discovered and you’re having to provide it.
There are a lot of different ways that risk can happen and create embarrassment. And by the time it has happened, it’s too late to go in and delete things or come up with a retention policy. Once there’s a legal hold or an e-discovery request, you can’t delete things at that point.
A lot of organizations have been spending time over the last year or two trying to figure out what their policies look like and why.
Ian Gottesman: The vast majority of stuff we’re doing in email and Slack and almost everywhere else is transitory. It doesn’t really matter to keep it; it’s not the final version of anything important. These are transactional conversations, like where you’re going to lunch. Who cares once you’ve gone to lunch? Do you really need to store that?
The more instantaneous and transitory a message is, the less important it is to save. And also the more likely it is that people say flippant things. Slack, Teams, instant messaging: that’s where people say really unfortunate things they wouldn’t want exposed publicly. Those are also not the places where you’re going to be announcing your new HR policy. You may announce that a meeting’s happening there, but you’re not going to store the policy there.
So that’s where you can start: begin implementing your retention policy with the things that are most transitory and least likely to need to be saved.
Then come up with what’s called a general retention schedule: what you’re storing, how long, who’s responsible, and what format. In some places, it may be one person responsible for everything. Sometimes if you have a librarian or archivist, you give it to them and they’re very good at it. In most cases, it’s the subject matter expert: your HR person is in charge of HR records.
You can start with transitory messages like instant messaging: Slack, Teams, Signal, whatever. Get those down to a very short window and delete them quickly. Email is probably the next example of a transitory message where the vast majority of stuff can be deleted. You need to have a process for people to save things they want to keep. In email and Slack, maybe you can flag or mark things so they don’t get deleted, or maybe you print it out and stick it in a folder.
Carolyn Woodard: That’s going to be one of my questions: if you said that your policy was 13 months for email, would you automate that?
Ian Gottesman: Automate it as much as possible. So when something hits 13 months plus one day, it’s automatically deleted.
Carolyn Woodard: Can you do the same on Slack and Teams instead of like disappearing messages?
Ian Gottesman: You can do exactly that. Yeah, you can do that on Slack and Teams, and that’s what you want to do. You want to automate deletion as much as possible, and make saving manual, because that also encourages people to only save things that are meaningful.
There are different ways you can have people save stuff. You can label it. And the label may actually be the retention period; that’s the most common way I’ve seen it done. Oh, this is seven years, so it’s automatically stored for seven years, like a tax return.
The thing that’s probably last, and the most manual in my experience, is your file shares.
Carolyn Woodard: I was just going to ask about that.
Ian Gottesman: Yeah, those are typically places where people made a conscious choice to save something, so there was some thought behind it. You don’t have as much transitory stuff, as much junk. Old stuff that doesn’t have a purpose.
There’s still a lot there though, probably four or five times as much as is meaningful is no longer meaningful. Different versions, like 12 different versions of the same document as you edited it, with different dates at the end or different initials. But you made a conscious decision to save that stuff.
Whereas with email and messaging, it just sort of pours in and you can’t really control what people send you. What should be determining how you save stuff is that retention schedule; it says this type of information should be stored for this long. And it shouldn’t matter if it’s an email or a written letter. The content of the message determines the retention period, and that’s what’s really important.
You can also decide how you want to store things. Paper may sound kind of silly in this day and age, but we’ve been storing paper since the beginning of history, and that’s literally what defines history. If you want to save something, you can always print it out, stick it in a folder, and give it to your archivist or keep it in your file folders, and it’ll be around for a long time.
A simple way to do it is just mark things with the folder name and the retention period. With HR, they’ll often do that: have a folder that marks all the people who applied for a job in a given month, and once you hit the retention period, you go through and delete all the files that are more than, say, 90 days old.
Because if you store things electronically, there are occasional disadvantages. Like, I don’t know how you would get something off a floppy disk these days.
Carolyn Woodard: Well, my sister was telling me she has some of those old mini cassettes, the dictaphone type things that you would hold and take notes. She had one from a couple of vacations she took decades ago. She kind of wants to hear what she was saying, but yeah, it’s very hard to get that.
Ian Gottesman: Right. And so that’s the issue. If you have a proprietary format or an electronic format that’s just hard to retrieve. What do you do?
Whereas if you print something out on paper, it’s there in perpetuity. I mean, you can see things that ancient Romans and ancient Greeks wrote, and even further back.
Carolyn Woodard: Although you might want to put it in a fireproof safe or something, if you’re…
Ian Gottesman: Exactly. And there are organizations you can pay to take things off-site. HR records sometimes have to be stored for the lifetime of employees’ beneficiaries, which can include their children or grandchildren. The VA is still providing benefits to people whose relatives fought in World War I, and they’ve had to store records that could be over 100 years old, which is very complicated to think about.
I worked, well, I didn’t work, I lived near a huge university that provided benefits to people’s children, and they ended up buying an old mall to store their HR records and archives after it went out of business.
Carolyn Woodard: Wow. I guess I want to ask how does one get started if an organization does not have any kind of retention policy and there’s this new urgency around AI search and the risks you talked about.
Ian Gottesman: The easiest place to start is with that policy. You can look at the NTEN course that I created. We have resources at NGO ISAC; it’s a really popular topic. We have sample policies. There are other organizations that have them too. One of the sample policies I found when I was doing research on this was from the CPA Association; I think it’s AICPA, if I remember correctly. There are a lot of people that have this information out there and it can serve as a model policy for you.
And then you want to find the people in your organization who are managing risk. A lot of times that’s your general counsel, if you have one; if not, your operations staff: COO, HR people. You’ll have a surprising amount of internal expertise in creating that. Your HR people will know how long they want to keep HR records because they’re already doing it. They just may not have written it down in a retention schedule. Same thing with your finance team and your fundraising team.
Carolyn Woodard: Your board.
Ian Gottesman: Yeah, your board. All of these things exist in other places. Maybe they’re written down informally, maybe it’s just in people’s heads: oh, we keep board meeting notes for five years.
Then you just write those down in one place and formalize it. The policy ends up looking like a table with a few rows: here’s the type of information, here’s how long you’re storing it, here’s who’s responsible, and maybe here’s what format you’re storing it in. That is honestly not the hardest part of the process. The hardest part is the change management. People really love their data.
Carolyn Woodard: That’s what I was going to ask: do you give that to your IT team? They’re going to automate as much as they can. But is it up to the IT team to tell all the staff how this works, or does HR do that? Who messages it?
Ian Gottesman: The IT team would probably be the ones who enable it and test it, make sure it works. Like if you’re deleting stuff on day 91, they might set up a test email box and make sure it deletes on day 91.
They’re not going to be the ones with the social capital to drive it. You want a more senior person; the more senior the better. Your CEO, your executive director is perfect. COO, CFO, general counsel, someone like that.
IT’s role is really to enable and enforce the policy. And it can be really unpopular. People love email. I can’t emphasize how much people love their old emails. So you’ll want to really communicate this and have someone in senior leadership help you do that.
You’ll want to give people time to review their emails or Slack messages before deletion.
Carolyn Woodard: Yeah, don’t tell them it’s tomorrow.
Ian Gottesman: Right, exactly. It may be many months. That’s the hardest part: the change management.
Carolyn Woodard: I feel like there’s this confluence of urgency. You said you wrote about this 30 years ago, and I feel like my entire time in nonprofits it’s been something like, oh, we should do that, we need to do that, but there’s been no real urgency around it. And now there’s this convergence of the risks you talked about, and also AI coming in.
Ian Gottesman: Yeah, AI and using your data in ways you don’t want…
The other thing too is there’s a cost. When I started my career, there was a high cost to storing data, X hundred dollars per megabyte or gigabyte or whatever it was. That’s no longer the case.
But there is a cost in terms of just the mess. The clutter. If you have 30 years of emails, how do you find what’s useful?
One of the things I think is helpful when thinking about this is to look for a real-world analogy. You go to your physical mailbox, take out your mail, open it up, see what’s useful and what’s not, put the junk in the recycle bin, pay the bill, and then maybe toss that in a month or two. You don’t just open it up and shove it back in there for 30 years. And then you’re trying to find the cable bill from one month ago and sorting through 30 years of mail.
Carolyn Woodard: Yeah.
Ian Gottesman: I think that helps people realize, oh, that makes sense. I don’t need to store 30 years of emails.
Carolyn Woodard: Yeah. When we moved, we had this big filing cabinet. I can’t even tell you, Ian, there were old veterinarian records for a cat we didn’t have anymore. All the stuff that was just in this filing cabinet because it was easy to leave it there.
And when we moved, we were like, we literally don’t need any of this stuff. Anything that was current or that we did need to save, we scanned and put it in a folder where we knew where to find it.
Ian Gottesman: Right. And that’s kind of the same thing. You want to get rid of your electronic clutter, and this process of record retention will stop that clutter.
But going back to what we were talking about: the hardest part of this whole thing is change management and the rollout, particularly around email and files.
People feel less passionate about their Slack messages, at least in my experience. But email people feel really passionate about. They’ve created ways to manage whole processes in email: oh, I use this flag, and then I do that, and then I have an auto reply that sends it to my boss.
Carolyn Woodard: Yeah.
Ian Gottesman: So to do the change management, it’s important to have somebody very important helping you, because IT’s role is typically just enabling the process. General counsel is a really common champion. Even better: a COO, an executive director, a CEO.
Carolyn Woodard: I like the idea of having counsel do it, because then you’re like, oh, the lawyer’s here.
Ian Gottesman: Well, right, and they’re also frequently the ones who are approving the policy or even setting it up.
And your job as the IT person is to enable it and make sure it actually works. Like, if you’re going to store things for seven years, make sure you have a place to store things for seven years.
Carolyn Woodard: And that you’re destroying them after the seven years.
Ian Gottesman: Exactly. So it’s important to do that change management piece and have important people involved. In a perfect world, you have some sort of proof of concept group that tests this out. You’re going to store things for seven years, five years, and whatever the different options are. You test it out with that group. You write instructions, and that group can say, these instructions are really good, or this is terrible, redo it.
That group should include a diverse set of people from different operational parts of your organization, because they’re going to be in charge of saving some of this stuff. It’d be good to have someone from HR, IT, finance, fundraising. Having a really senior person in there is good too, because they can say, I’m the chief executive, and I’ve done this. It’s totally possible. And that sort of embarrasses the mid-level person who claims they can’t do it.
Two other groups are also important: early adopters, people who are always trying to do the new new thing, and squeaky wheels, the people who complain a lot. Having them complain early, so you can deal with it, is much better than having them complain during a full rollout. And you may realize: oh, in addition to them complaining, they’re right. They figured out something you didn’t do correctly. It’s much better to have them early in the process.
You can run that proof of concept group for about a month to make sure it works, and then roll it out to everyone else. People are going to complain. They love email. It’s hard to overemphasize how much people love email, especially if they haven’t been told to store things in any particular way.
Train people, remind them over and over again. If they complain a lot, maybe you extend the deadline: instead of doing it on the first of the month, you do it on the 30th. Or extend the time frame: instead of six months, you do 13 months. That’ll make you more popular and the change a little more palatable.
And then you can ratchet it down if you want. If after a few months at 13 months you feel like you’re storing a lot of data you don’t need, you can go down to six months or six weeks.
Carolyn Woodard: Yeah, yeah.
Ian Gottesman: The complaints will tell you. That’s really the hardest piece: the change management. Making sure people are aware and making sure you train new people coming in.
Carolyn Woodard: I feel like that is often a good tactic: if you have new people you’ve just hired and you train them on this is how we do it, eventually they’ll outnumber the old guard who are still resisting.
Ian Gottesman: Right. And people just get used to it. Oh, we store our email for 13 months, and if I want to keep something longer, I have to mark it, put it in a folder, archive it somehow, print it out, or export it.
And depending on the process and the policy, you can make saving things harder to discourage unnecessary saving. Like, everything has to be printed out to be saved. Do you really want it? Or you have to export it to a certain format and stick it in the shared drive folder. Because then the folder will go through and delete things that are older than, say, six months. Your policy and your process can make storing as hard or as easy as you want.
But your role as the IT leader is to enable that process and have the tools that enforce it, not be the one ultimately responsible for the decisions. That should be the people managing the risk: general counsel, or if you don’t have one, your operations lead.
And then you want an internal champion, an executive sponsor. The more senior the executive, the better. I was at a place like this where the CEO was in the proof of concept group. I remember sending out an email, people were complaining, and he just said, well, I did this. How come you can’t? I’m talking to our funders, I’m talking to our board. Those are the most important conversations we’re having. And I figured out ways to store those. It’s not that hard. People were sort of flabbergasted. Like, if he can manage his email to funders and the board, surely I can manage my email to my research assistant.
Carolyn Woodard: Yeah, that’s a great place to leave it, I think. If your CEO or executive director can do it, then everyone in your organization can do it.
Ian Gottesman: And definitely, to your earlier point, this has been a risk that people have been aware of but haven’t given a lot of thought to. Now people are giving it a lot of thought. Take advantage of that. Implement it now. If you implement it a year from now, it will probably be harder. If you’d implemented it a year ago, it certainly would have been easier.
Carolyn Woodard: Yeah, kind of implement it before you get subpoenaed.
Ian Gottesman: Well, yeah. If you implement it after you get subpoenaed, that’s going to get you in trouble.
Right? Especially if it’s during the subpoena process.
Carolyn Woodard: Right.
Well, Ian, I want to thank you so much for your time today. This was just lovely, as always talking with you. Thanks for making us smarter. I will share the link in the show notes to the course you put together for NTEN, for NTEN members who want to learn more about what they can do.
Ian Gottesman: Yeah, and they can join our community. Well, thank you and good luck with everything.
Carolyn Woodard: Thank you so much for doing this.
Ian Gottesman: Happy to do it.
As advocates for using technology to work smarter, we’re practicing what we recommend. This transcript was drafted with the assistance of AI, and is not a verbatim transcript. The content was edited for clarity, and was reviewed, edited, and finalized by a human editor to ensure accuracy and relevance.
Wednesday May 27th at 3pm Eastern join Nura Aboki to learn how to prioritize intentional AI implementation and build AI policies.
Fill out the form below to request a quote. We’ll be in touch shortly to discuss your needs and take the first step toward better nonprofit IT.