with co-author Eric Setterlund
Many of us make personal New Year’s resolutions, but how many of us also do that with our businesses? It’s 2017 and any business that has to comply with state, federal or international data privacy laws and regulations (which is virtually every business) should make this resolution: keep only what you need! In other words, for any data affected by privacy laws and regulations (i.e., any data that contains personally identifiable information, protected health information or other sensitive information), your company should only keep the data required as necessary for business purposes and to comply with applicable privacy laws and regulations. It’s a simple concept, but it can only be achieved through diligent information management.
With noncompliance risks higher than ever before and companies needing to support an expanding number of applications, communication networks and storage platforms, it’s never been more important to implement and maintain an effective information governance program.
It is now crucial to identify the types of data your company has so the data can be managed according to the privacy laws and regulations applicable to that data. You must know what types of data you have in order to manage the data at the granular level required for compliance purposes. Managing data at a granular level will also allow your company to strike the appropriate balance between compliance and efficiency. If your company’s data isn’t managed at this level of granularity, your company runs the risk of noncompliance or needless inefficiencies (e.g., increased storage and security costs). An effective information governance program is not only important as a risk management tool (by improving the ability to meet data compliance obligations), but it’s also important for budgeting and obtaining value from the data (i.e., reducing inefficiencies and costs by removing unneeded data).
The faster your company accumulates data and the more data your company accumulates, the less likely it is that the data will be viewed, analyzed, used or understood, which means the data has little value to your company. If you need to accumulate large amounts of data because it has potential value (i.e., analytics and artificial intelligence), at a minimum the data should be anonymized so the data contains no personally identifiable or other sensitive information. This will allow your company to unlock the potential value without the fear of regulatory noncompliance.
For many companies, information governance is a manual process, but automating this process is critical for any company maintaining large amounts of data. Manual information governance involves training every employee and is too time-consuming. In addition to individual employee responsibilities, a company must assign information governance responsibilities for data of former employees and data specific to departments, projects, etc. (but not individuals). Other considerations include data subject to litigation holds and who makes decisions about that data. The problem with manual information governance is that it is an ongoing process, so employees will constantly be doing this. It’s just too time-consuming and not practical for any company with large amounts of data. The solution is to put processes in place that keep data organized, which includes automation.
Automated information governance involves applications that analyze the data and take action based on a company’s policies. Most automated solutions start with analyzing metadata (creation and modification dates, location, file type, author, etc.) to make policy decisions, such as around legal holds and ROT (redundant, obsolete or trivial) data. Newer and more advanced automated information governance solutions go beyond metadata analysis and use artificial intelligence (AI) to analyze content and make decisions. If your company maintains large amounts of data, this is the type of information governance solution your company should be preparing for if it’s not already using one.
Many countries – and companies located in or with a presence in those countries – have been slow to adopt cloud-based governance solutions, primarily due to data sovereignty concerns. However, cloud-based governance and archiving solutions are evolving to meet evolving global demands. Cloud providers are now offering “in-country” cloud-based governance solutions (via the cloud provider or local partners), which should alleviate data sovereignty concerns and incentivize previously hesitant organizations to move information governance to the cloud. By adopting cloud-based governance solutions, companies will enhance their information governance programs because of the powerful analytics and AI capabilities that will now be available to them.
In-Place Records Management
If your company’s data is not centralized, whether in the cloud or on premise, In-Place Records Management is a good alternative to centralized cloud-based governance solutions. With In-Place Records Management, the governance solution does not move the data to manage it. Rather, the data remains in its original location while the governance solution manages the data retention policies. There are several advantages to this type of solution:
Turn AI into IA
Regardless of the type of information governance solution your company uses, it should be using a solution that includes machine learning. Machine learning used to only be associated with advanced analytics, but it is shifting toward empowering data-driven applications, including information governance applications. These applications analyze the content of large data sets to identify data types and data relationships not identifiable by metadata analysis. After using artificial intelligence (AI) to analyze content and make decisions about large data sets, your company can take advantage of machine learning by using the knowledge learned by AI to inform and assist with the ongoing employee processes related to information governance. In other words, turn AI into IA (intelligent assistance). Your company can take advantage of the intelligent assistance provided by these data-driven applications to manage the day-to-day process of your company’s information governance program, which will make it more efficient and more accurate.
Many companies continue to maintain data just in case they need it in the future. This practice is inefficient and leads to higher storage, application and security costs. Modern AI and analytics tools allow companies to minimize these inefficiencies and costs by performing deep analysis of the information and achieving insight that, when combined with granular data management policies, allows companies to automate data segregation, removal and migration. When data is managed using policies based on intelligent, granular data insight, companies not only remove inefficiencies and reduce costs, but they put themselves in a good position to defend their data retention policies (and keep only what they need).
AI and intelligent assistance will significantly enhance a company’s ability to comply with onerous data privacy laws and regulations such as the European Union’s (EU) General Data Protection Regulation (GDPR), which will be enforced beginning on May 25, 2018 (see GDPR). If your company maintains or processes personally identifiable information about EU citizens, your company will soon have to accommodate new data subject rights under the GDPR. These data subject rights include:
In addition, under the GDPR, certain sensitive personal data (data relating to health and religious beliefs) requires a higher level of protection than other types of personal data. It’s critical for a company to be able to identify the types of data it maintains and be able to locate that data when necessary (e.g., legal holds, permissible disclosure, deletion).
Having an information governance program in place that takes advantage of powerful data identification technologies will greatly assist your company in complying with the GDPR. Because the GDPR is likely to be the model for other privacy laws, it may become the data management standard for all companies. But that’s a good thing, because the GDPR is a high standard to meet, and if your company is GDPR-compliant, it will likely be compliant, or very close to compliant, with other applicable privacy laws and regulations.
In addition to ensuring compliance, an effective information governance program can also enable your company to change its data retention culture. Many people are embracing minimalism and your company can too (at least with respect to its data). For individuals, minimalism can mean many different things: living with fewer material possessions, not owning a car, being able to travel the world, etc. But minimalism is more than that; it’s a tool that allows people to focus on what’s important and free themselves of the surplus in their lives. The same can apply to your company through its information governance program. By removing the ROT and other data that is not required to be kept any longer, your company can save money on data storage, reduce e-discovery costs, reduce risk and focus on other aspects of its data, which unlocks and increases the value of its now-manageable data. Simply put, your company’s information governance program can be used to develop a culture of data retention minimalism and allow your company to keep only the data that it needs.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
William “Bill” O’Connor is a Certified Information Systems Security Professional, Certified Information Privacy Professional and a member of Baker Donelson’s Data Protection, Privacy and Cybersecurity Team, as well as the Corporate Finance & Securities Group. He can be reached at firstname.lastname@example.org.