Image by: StudioM1, ©2019 Getty Images
With new pressures introduced by the European Union's General Data Protection Regulation (GDPR) and recent stateside efforts to do the same (such as the California Consumer Privacy Act), organizations are revisiting the efficacy of their data and information governance programs. While laws and regulations may vary by industry and company size, most of them act to protect consumers' personal data by prescribing technical and governance standards, backed by stiff penalties for non-compliance.
Notably, these types of directives also introduce a duty to destroy data once it no longer serves a legitimate business purpose. For entities that have grown accustomed to leveraging cheap digital storage, this new responsibility presents many logistical hurdles.
Notably, these types of directives also introduce a duty to destroy data once it no longer serves a legitimate business purpose. For entities that have grown accustomed to leveraging cheap digital storage, this new responsibility presents many logistical hurdles.
However, implementing such guardrails offers an opportunity to enable better governance throughout the organization, monetize the life cycle of information assets, and foster trustworthy relationships that can enhance the customer experience.
Here are seven tips to help prepare your data to support an information governance strategy:
1. Automate Retention Schedules
Legal and compliance requirements are the cornerstones of corporate governance programs. Yet, tracking the multitude of state, federal, and international laws that affect your internal data policies can be a monumental task. Consider leveraging software as a service (SaaS) solutions to keep your risk, compliance, and legal staff abreast of the latest citation changes to these nuanced instructions. These tools empower you to defensibly destroy and cleanse costly data no longer useful to your organization.2. Cover Your Assets
Satisfying new compliance requirements means it's not enough to know the kinds of records you keep. Now, you must also be aware of the systems they’re kept in and how that data flows between them. That's why chief data officers and enterprise architects are increasingly embracing asset management tools that not only perform diagnostics on their application stack but also allow them to inventory their attributes and map related processes that inform long-term strategic planning. Tools like these also support application rationalization, which, in turn, aid in the classification and disposal of unneeded data.3. Introduce Big Buckets
The biggest challenge of enforcing retention across an enterprise is an "event trigger," which complicates how long the organization holds some records. For example, an employee file might be held "x" years following a termination event. Big Bucket strategies allow you to simplify and group like records together. This approach supports efficient destruction but assumes some risk at the same time. Work with your governance partners to determine reasonable standards for a Big Bucket policy and quantify an acceptable level of risk your company is willing to assume to achieve cost and efficiency benefits.4. Enforce Legal Holds
Cleansing your data lakes and information silos to save costs and minimize risk is an exercise in defensible destruction, but it also requires an awareness of outstanding legal holds. A company that spoliates evidence subject to a legal hold, even without malice, can be fined and suffer adverse inference litigation rulings, resulting in unfavorable judgments. Additionally, sound oversight of records under a preservation hold doesn't just make good legal sense but also helps to better identify opportunities for defensible destruction, cost reduction, and risk mitigation.5. Activate File Analysis
The tricky thing about new laws, like the California Consumer Privacy Act (CCPA), is that they require companies to find and produce data for the consumer wherever it exists. That can be a cumbersome test for many entities that have hundreds or thousands of repositories. Advanced file analytics tools can plug directly into your network and quickly identify sensitive and personally identifiable information (PII). They can also help you to find redundant, obsolete, and trivial (ROT) data clogging your systems. These tools produce a tangible return on investment (ROI), reflecting how an information governance strategy works to the benefit of your organization.6. Embrace Content Migrations
Unless you've only lived in one home your entire life, you've probably experienced the cathartic process of cleaning out things you no longer need in preparation for a move. Bringing in a new content management system is not much different, and it’s a unique opportunity to apply retention to your data, discard ROT, and provide employees with more accurate knowledge resources.7. Bake in Best Practices
Information governance is not a "one and done" proposition. It's a "rinse and repeat" discipline that only works when management ensures that its organizational culture is along for the ride. These days, a basic understanding of data handling is vital for every new hire. Concepts like records retention, data protection, and privacy should be part of any corporate training plan.By complementing policy frameworks and toolsets with the types of information governance approaches noted here, we can better enable our workforce to hone their knowledge skills, achieve defensible destruction. and improve audit outcomes. In effect, we are future-proofing our businesses from the near-daily siege of data and privacy breaches, seemingly with no end in sight. Information governance is the bright light at the end of that tunnel.
Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. He has spent the last 20 years developing large-scale information management programs for Fortune 500 companies, including Paramount Pictures and Farmers Insurance. Follow him on Twitter at @rafael_moscatel or visit www.capp-llc.com.