Corporations are amassing huge stockpiles of electronic information which can harbor both value and risk unless the company has a comprehensive, top-down policy for managing it all.
With ‘big data’ pervading every aspect of the business world and the cost of storage at an all-time low, corporations are becoming giant data dumps, amassing huge stockpiles of electronic information. All this data can harbor both value and risk, but unless the company has a comprehensive, top-down policy for managing it all, it may face only the consequences of the risk without ever realizing any additional value.
Information governance (IG) is best understood as an organization’s ‘content constitution’. IG is the framework and guiding philosophy for how data is created, used, stored, retained, deleted and valued. It takes into account data’s value and risk, weighing the potential return on investment of retention against the potential cost of discovery and litigation. It also allows for an evolving set of legal, regulatory and privacy requirements.
When IG is understood in this context, it is clear that successful implementation occurs only when it comes from the top down, as a corporate policy that applies with equal force across the entire organization. At many companies, however, this is far from the case. In fact, a recent study by 451 Research found that only one in three corporate executives believes IG is important to his or her organization.
The importance of an executive-driven policy can be illustrated through a look at ‘defensible deletion’. This is the process by which a company distinguishes the wheat from the chaff within its data stockpiles, archiving what it needs to retain and getting rid of what it does not. As with most big-data processes, defensible deletion requires both human guidance and appropriate technology. Most of all, however, it requires a directive from the top.
What makes information governance so important to a corporation?
Corporations are generating and accumulating data at a rapid rate. Estimates say we create 2.5 exabytes (2.5 billion gigabytes) of data every day – a number that will double by 2014. One business alone, Walmart, is said to collect more than 2.5 petabytes (2.5 million gigabytes) of customer data every hour. Some of this data is created internally, in the form of emails, sales reports, memoranda, spreadsheets and the like. Some is created from outside, in the form of website tracking data, customer data, purchase records, social media activity and so on.
Both sources of data carry potential value and risk. The value is in the business use of the data as well as in the ability to mine it for business and market intelligence. The risk is in exposing confidential data, losing essential data and losing control of data retention and storage, with the latter being the most prevalent – although not necessarily the most harmful – risk.
These issues make a comprehensive IG policy essential. An IG content constitution creates a division of powers and defines roles within the organization so that data practices are properly created, executed and, when required, adjudicated. Companies should take a holistic look at their data and create a policy/technology framework that identifies priorities and objectives, and helps automate compliance therewith.
They must also empower those with oversight to prevent others from deviating from the plan, even if it is potentially disruptive in the short term. The potential long-term risks are usually greater than the short-term pain alleviated by a ‘pause’ in the policy.
The problem of IG silos
Within a corporation, tone at the top is an essential characteristic of effective leadership. It signals the values all employees are expected to live up to, no matter what their duties or position. It also reflects the reality in many corporations that a top-down approach is the only way to successfully implement business initiatives meant to reach across the entire organization.
Unfortunately, with regard to IG, many firms have yet to grasp the importance of taking such an approach. Too often, IG remains siloed – usually within a company’s IT or legal department – and as a result, many corporations never get to the value/risk assessment essential to effective data management. This is because they fail to answer the question of who within the organization owns the data, either because they are stymied by the question or simply don’t wish to answer it.
A common assumption is that the IT department owns the data. While IT may own the infrastructure, however, it does not own the information contained within that infrastructure. Furthermore, IT is not equipped to understand either the business value or the legal risk of the information.
The legal department is no better situated to take responsibility for a comprehensive IG policy. It is likely to be so focused on risk that it can barely appreciate the business and intelligence value of the data. Inside counsel are more likely to focus on the potential exposure resulting from a damning document that should have been deleted, or conversely sanctions that might be imposed for uncontrolled or undocumented deletion. To lawyers, data is almost always trouble – it is kept when it could have been deleted, and deleted when it should have been kept. They are not big-picture thinkers when it comes to enterprise content.
Worse yet is when responsibility for data management is spread across departments, with no one person given overarching authority. If five people own the process, no one owns it. Ultimately, for a policy to rise to the level of true information governance, someone must have the authority to compel compliance in all silos and to compel co-operation among them.
Needless to say, both IT and legal are key participants and stakeholders in corporate IG. In an age of big data, however, the reality is that there is not a department within a company that does not create, use and manage data. For this reason, the only sensible and safe approach to IG is to treat it as a multidisciplinary initiative that spans every part of the business.
Executives need to understand that the impact of big data on their organizations is pervasive and ever-expanding. To protect their businesses and their customers, companies need an IG policy that is uniformly applied and followed across every department. That will only happen when the policy comes from the top down.
IG in action: defensible deletion
An increasingly important component of IG for larger corporations is defensible deletion. Think of it as a spring-cleaning process to rid the metaphorical corporate garage or attic of what is truly junk (junk data in this case being data not classified for any business, regulatory or legal purpose). For any deletions to be defensible, the company must know what it has thrown away.
Beyond its obvious value in eliminating unneeded files, defensible deletion is also a good first step in implementing a broader IG policy. There might not be unanimous consent across all enterprise stakeholders as to what constitutes valuable data, but there is usually an easily identifiable subset of worthless files. The process of bringing in the stakeholders to sort out the data into piles is IG in action. The organization’s desire or ability to operate within the realm of ‘big data’ may then drive future discussions regarding what to do with what’s kept. More deletion could obviously follow.
Big data can hold big value for a business. Only in recent years, with the availability of sophisticated analytics, have businesses come to fully appreciate this value. Tools for data mining and analysis enable corporations to find gold within mountains of electronic information. Often such data has predictive value, revealing patterns among customers and within markets.
At the same time, there is risk and cost in saving literally everything. Yes, storage is cheap, but not so cheap as to justify data hoarding. Defensible deletion is the ideal compromise, insofar as it seeks to recognize what is worth retaining and get rid of what is garbage. There is little question that defensible deletion can benefit a company by saving it money and reducing its risk.
This is not to say that the line between gold and garbage is always crystal clear. Consider an insurance company that has gathered extensive data on its internal sales practices throughout the last 15 years. The company can mine that data for insights into what worked and what did not and use those insights to improve future sales – but if the federal government launches a surprise investigation of the company’s sales practices, every last bit of that retained data suddenly becomes discoverable and exposed.
For this very reason, the ‘defensible’ part of defensible deletion can be achieved only in an organization with top-down IG and, ideally, with direct executive leadership from the C-suite, perhaps in the form of a chief information officer. The process then becomes one that crosses functions and departments and has them working together to identify value and risk.
It may begin by having the company’s various business units identify the key kinds of data they want to keep. Key stakeholders within the company would then perform an analysis of the potential value of that data, and legal would evaluate the potential risks and identify data that must be kept or should be deleted. IT’s role would be to identify the most effective and efficient methods for identification, analysis, archiving and retrieval of the data.
A policy and a process
Defensible deletion requires both a policy and a process. The policy helps define the types of records to retain and delete, the frequency with which the data will be evaluated, and what checks are in place to guard against spoliation or violations of legal holds.
By contrast, the process side of the equation needs to be repeatable and relatively painless. By necessity, it relies heavily on technology as a critical component. Can the data evaluation be automated or will it always require some degree of manual intervention? How should the ‘good’ data be archived so that it is easy to retrieve and use?
Many corporations, even those that understand the importance of defensible deletion, lack internal systems and tools with the sophistication required to enable them to analyze their data and determine its value. For this reason, some corporations are turning to external repositories to handle their defensible deletion processes. Using platforms developed for advanced e-discovery tasks, these repositories provide the kinds of sophisticated search and analytical tools that can be used to identify valuable data and cut out what is junk or no longer needed.
Once the deletion process is done, the external repository can serve as a data archive for legal hold and preservation purposes. Should litigation arise, it can also serve as a platform for e-discovery search, review and production.
For a corporation with a comprehensive IG policy that includes a sound approach to defensible deletion, there is a payoff. This comes in finding the optimal balance between mining the value of big data while mitigating its risk. Corporations that achieve that balance have the potential to drive growth through analytics while also reducing legal risks and costs. And if defensible deletion is an organization’s first foray into true information governance, the work that went into its implementation will be the foundation for broader initiatives to come.
But that can happen only when companies first adopt a cross-functional, team approach to IG that employs consistent and repeatable processes across all departments and business units. That, in turn, can happen only when those in the C-suite buy into the importance of IG – and set the tone for the company from the top down.
